The number of companies in the UK fined for data breaches went from 18 to 35 while the fines themselves have almost tripled since 2014. There was also an increase in the ICO's issuing of enforcement notices from 9 to 23.
The trend of more and harsher fines by the ICO appears to be continuing this year as Gloucester City Council were fined £100,000 in June for a data breach that occurred in July 2014. The breach took the form of a hack into the council's mailbox through its website in which 30,000 emails containing the personal information of staff were downloaded.
These developments coincide with the one year countdown to the General Data Protection Regulation (GDPR) which will take effect in May 2018 and will further empower the ICO, the Irish Data Protection Commissioner and other European authorities to increase fines and make use of investigatory powers.
While the ICO has been empowered to issue fines since 2010, the GDPR will provide the Irish Data Protection Commissioner with this power for the first time.
Additionally, and following the National Health Service's recent cybersecurity vulnerability in the wake of the wannacry ransomware attack, research indicates data breaches in the health sector in particular are on the increase.
The ICO's total figure of £3.245m in fines is rivalled in Europe only by Italy (€3.3m) while US data breach fines dwarf this figure at $250m for 2016. However, fines across the EU will significantly increase as the GDPR provides for fines of up to 2% of annual turnover or €10m and up to 4% of global annual turnover or €20m.
The UK Information Commissioner Elizabeth Denham has promised harsher penalties in future for non-compliance. According to Denham, the implementation of the new regulatory powers of the GDPR will require a 40% increase in staff numbers for her office in the next two years.
Similarly, in Ireland, the recent General Scheme for the Data Protection Bill 2017 has highlighted that the GDPR will lead to an increase in "resource intensive" cases. The Scheme envisions the possible appointment of three Data Protection Commissioners (DPC), along with an increase of staff at the DPC already underway, to meet this challenge.
Factors which could compound these challenges for the Office of the Data Protection Commissioner include the possible shift of data processing business traffic to Ireland due to Brexit.
While some of the mechanics of how the data supervisory authorities will operate in Ireland and the UK are still being determined, it is clear already that enforcement and fines will only increase under GDPR.