The value of the average data breach fine in the UK doubles in one year

The average value of fines issued by the UK’s data watchdog doubled over the last year to reach £146,000, according to new figures released today by City law firm RPC.

Additionally, the total value of fines imposed by the Information Commissioner’s Office (ICO) in the twelve months to 30 September 2018 rose to just under £5m. This was a rise of 24 per cent compared to 2017’s close.

The year was earmarked by several major data breach fines in the UK, including credit reporting agency Equifax which was issued the maximum £500,000 fine last month. The firm failed to protect 15m people in the UK whose personal details, such as dates of birth, driving licences and passwords, were stolen in a cyber attack in 2017.

Facebook, which was also hit with a maximum penalty by the ICO last week, was not included in the analysis due to the issue date falling outside of the reporting period,

“A doubling in the average size of a fine should serve as a wake-up call to businesses. However, political pressure is mounting.” said Richard Breavington, a partner at RPC.

The implementation of the EU’s General Data Protection Regulation (GDPR) in May has switched up the rulebook for all attacks which occurred after that date, and those in the future. Under GDPR, the ICO can impose fines of up to €20m (£17.8m), or 4 per cent of annual global turnover.

The ICO issued its first enforcement notice under the new rules in September, to Canadian firm AggregateIQ for its role in the data leak of up to 87m Facebook users. The firm has appealed the penalty.

AggregateIQ allegedly used such data to sway voters on either side of the 2016 EU referendum.