In 2021 we predict
A 70% increase in monetary fines issued by the Information Commissioner.
The picture in 2020
- The Information Commissioner’s Office (“ICO”) issued its first major post-GDPR fines, all for failings connected to network attacks – British Airways (£20m), Marriott (£18.4m) and Ticketmaster (£1.25m).
- CJEU ruled in Schrems II that businesses can no longer rely on the EU / US Privacy Shield for transferring personal data to the US.
- A move to remote working has put emphasis on greater data and network security measures.
- COVID-19 contact tracing activities by companies have led to heightened risk in data processing.
Looking ahead to 2021
- The ICO will accelerate its enforcement activity with a significant increase in monetary penalties.
- Data controllers will need to justify their arrangements for data transfers to the US and absent a post-Brexit adequacy decision, for UK/EU data transfers.
- Companies will face regulatory and employee scrutiny over-collection and retention of contact tracing data.
- Increased regulatory activity will be mirrored by activity in the courts, complaints, DSARs etc.
What does this mean?
Companies should continue to treat data protection and network security as a priority, and ensure they are clear on the basis that data transfers take place.
All sectors are subject to ICO regulation. Dual regulated firms should remember that other regulators, such as the FCA, also place a strong emphasis on data protection and network security.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.
Key contacts
If you have any questions, contact a member of the Data protection team for assistance:
