Millions of pounds worth of penalties for data misuse were handed out in the UK last year including to a Scottish company hit with the maximum fine of £500,000 for making almost 200 million nuisance calls.

The Information Commissioner’s Office (ICO) issued 17 final civil monetary penalties totalling over £42 million to UK companies for breaches of Data Protection Act (DPA) and Privacy and Electronic Communications Regulations Act (PECR).

The ICO’s ‘work to recover fines’ report was analysed by the Parliament Street Think Tank – one of the UK’s leading research organisations – which reveals a catalogue of fines issued across a variety of sectors.

The largest fine issued by the ICO in 2020 was given to British Airways in the transport and leisure sector on 16 October 2020 at a total of £20 million for a breach of DPA. This is followed by a fine of £18,400,000, issued to Marriott International Inc on 30 October 2020, also for a breach of the DPA.

The next largest was to Ticketmaster LTD, with a fine totalling £1.25 million for data breaches on 13 November 2020.

The industry hit with the biggest fines was marketing with nine fines in total issued, followed by three fines issued to firms in the transport and leisure sector.

Additionally, the ICO issued three court orders for winding-up upon petitions in 2020. A winding-up order is a court order that forces an insolvent company into compulsory liquidation in order to liquidate all of the company’s assets to repay creditors. 

Additionally, there were eight directors disqualified following ICO enforcement action in 2020. These directors have been disqualified for a number of years for conduct while acting for various companies.

Clydebank Business Park firm CRDNN Limited was raided by the ICO in March 2018, with computer equipment and documents seized for further analysis of their nuisance call operation.

They were subsequently fined £500,000 on 2 March 2020 for breaches of PECR when the investigation found they were making 1.6 million automated cold calls per day about window scrappage, debt management, and conservatory and boiler sales between 1 June and 1 October 2018.

CRDNN Limited came to the attention of the ICO when more than 3,000 complaints were made about the nuisance calls.

Charlie Smith, Consultant Solutions Engineer, Barracuda Networks, said: “In today’s digital working environment, data security, recovery and protection is of vital importance. Unfortunately, it has become apparent that many business owners, workers and consumers are not aware of the need for backup and recovery services for their email service providers. Our own research even revealed that 40% of Office 365 users believe that Microsoft provides everything they need to protect their data and software.

“Whilst Office 365 does offer some level of security, even Microsoft suggests using a third party backup to ensure that data is fully protected and retrievable. Without it, organisations can be left prone to accidental data loss and even ransomware attacks.

 “Thus moving forward, organisations should invest in a third-party data backup solution that runs in the cloud, to enable seamless, efficient and comprehensive backup of data on a granular level – allowing lost, stolen or misplaced data to be restored without delay.”