British Pounds bills and judge hammer with police handcuffs on court desk showing GDPR fines

Issuing GDPR Fines Is One Thing, Collecting Them Is Another; UK ICO Struggling To Enforce Actions as 74% Of Penalties Remain Unpaid

The UK’s Information Commissioner’s Office (ICO) has not been afraid to issue some heavy General Data Protection Regulation (GDPR) fines to the likes of Google, British Airways and Marriott for their assorted data leaks and breaches in recent years. Issuing a GDPR fine is just the first step, however; at some point it needs to be collected, or the process is meaningless.

That second part is apparently where ICO is running into some serious difficulty, with 74% of the GDPR fines issued by the agency since the start of 2020 remaining unpaid. TheSMSWorks has collected numbers that indicate the problem is tilted more to smaller companies than larger ones, with SMS and phone spammers frequently dragging out the appeals process for years or simply outright refusing to pay.

UK ICO struggles to collect GDPR fines as enforcement process can stretch on for years

The data builds on a similar study conducted by TheSMSWorks last year, which had found that 68% of UK GDPR fines issued since January 2019 had not been collected.

But in both cases, the data indicates that the international mega corporations that are receiving the biggest fine amounts are not a proportionally large part of the problem. Most of these companies have arranged installment payment plans for their GDPR fines that they are thus far adhering to (such as British Airways). The study does not count large fines that are currently on an installment plan in which payments are being made.

The problem lies mostly with smaller companies that are in the spam messaging game, which was also the theme in 2019. Since the start of 2020, ICO has issued 47 qualifying fines and collected on only 19 of them. Only £1.81 million of an expected £7 million in GDPR fines has been recovered. Of these, 82.4% are fines assessed for SMS spam.

Phone spam and nuisance calls is also an area where GDPR fines are rarely collected. The leading category is home improvement marketing, in which cold callers were fined for offering services that homeowners had not solicited.

Most industry sectors have a poor rate of paying their GDPR fines, however, with most having at least a 50% delinquency rate. The one group that is punctual about paying their fines is the charity sector; non-profit assistance groups have paid 100% of the fines assessed to them to date.

How UK companies dodge GDPR fines

So how are all of these companies managing to duck and dodge their GDPR fines? There are several techniques.

One is an appeals process that apparently can be drawn out for years. Every entity that is fined is entitled to an appeal. At least one company, an Eldon Insurance, that was fined £60,000 for email spam in early 2019 is still mired in the appeals process nearly three years later.

Others simply shut down and reform under a new name. TheSMSWorks referred to this process as “phoenixing” in their 2019 report. This approach apparently has mixed results, but does appear to be working for some companies that retain their original staff (and sometimes the same business address) under a new name. Companies that liquidate can gain legal protections that prevent them from being fined, but ICO also sometimes has the option of going after business directors and holding them personally liable when this is done. This is not a tactic that is usually one of the agency’s first choices, however; aside from the bad PR that can come from trying to bankrupt relatively small fish that have cut ties from the business, the agency sometimes spends much more money in the legal pursuit than they recoup from the fine payment.

And others simply refuse to pay and carry on with their business. The data finds that when GDPR fines exceed £100,000, it greatly increases the chances of a company simply ignoring it.

The study also notes that some of the companies that were fined did not engage in malicious attempts to violate GDPR terms. Some sent out what they thought were legitimate SMS or email marketing campaigns, but were unknowingly in technical violation of an aspect of the GDPR. One example that they cite is a mobile network operator that sent SMS marketing messages to customers but did not adhere to the correct opt-in rules when doing so. The company made an effort to honor customer preferences about communications, but apparently did not understand exactly what the GDPR required.

ICO has been steadily more active in handing out GDPR fines since 2019, though it has not come near the peaks it hit in 2017 and 2018 as of yet. The agency hands out the largest number of fines to the home improvement and finance industries; other industries with significant amounts include claims management and, surprisingly, charity and public sector organizations.