Home / News & Resources / News & Updates / The Cost of a Data Breach: Over £15.5 Million GDPR Fines Paid Out by UK Businesses Between 2023-24

The Cost of a Data Breach: Over £15.5 Million GDPR Fines Paid Out by UK Businesses Between 2023-24

  • Posted on

Hayes Connor has conducted an in-depth analysis of recent breaches of the General Data Protection Regulation (GDPR) to assess the financial impact on local businesses throughout the UK. The financial penalties described in each case highlight the critical importance of robust data protection measures in safeguarding personal information and ensuring its responsible usage.

The research uncovered some shocking instances of negligence. In one case, highly sensitive information, including the names of people with HIV, was exposed in emails that weren’t properly 'bcc'd'. Another case involved an extremely vulnerable pensioner with memory loss who was mis-sold various insurances after being contacted without consent, resulting in a loss of between £15,000 and £20,000.

Businesses in major locations such as Manchester, London, Lancaster, Cardiff, Bournemouth, Essex, and Berkshire have received monetary penalties from the ICO between 2023 and 2024, resulting in a total of £15,537,500 in fines.

These findings emphasise the importance of the public reporting such nuisance cases to organisations like the Information Commissioner's Office (ICO) and the Telephone Preference Service (TPS). Often, these reports are enough to trigger an investigation into whether companies are complying with the law.

Here, we will take a deep dive into the 27 instances of monetary penalties received by UK businesses to ascertain the cost of a data breach.

What is GDPR?

The General Data Protection Regulation (GDPR) is a major data protection law enacted by the European Union (EU) that became enforceable on May 25, 2018. It aims to protect the personal data and privacy of individuals within the EU and the European Economic Area (EEA). GDPR also regulates the transfer of personal data outside these regions, impacting organisations worldwide that deal with EU residents' data.

GDPR outlines several key principles for processing personal data, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and ensuring data security. These principles ensure that personal data is handled responsibly and securely.

Individuals have specific rights under GDPR, including the right to access their data, correct inaccuracies, request deletion, restrict processing, and transfer their data to another service. They can also object to certain data processing activities and have protections against automated decision-making.

Organisations processing personal data must comply with various obligations, such as implementing data protection measures by design, conducting data protection impact assessments for high-risk activities, and promptly reporting data breaches. In some cases, they must appoint a Data Protection Officer (DPO) to oversee compliance.

Non-compliance with GDPR can result in substantial fines of up to €20 million or 4% of the organisation's global annual revenue. This regulation sets a high standard for data privacy and has influenced data protection laws worldwide.

Examples of How a Business Can Mistreat Your Personal Information

Businesses in the UK can misuse personal information in several ways, potentially breaching GDPR laws. Here are a few examples:

Unauthorised Data Sharing

Sharing personal data without consent is a common breach. For instance, if a company shares customer email addresses with third-party advertisers without obtaining explicit consent, it violates GDPR.

Example: An online retailer shares its customer email list with a marketing firm without informing customers or getting their consent.

Insufficient Data Security

Failing to protect personal data with adequate security measures can lead to breaches. For example, storing sensitive customer data in unsecured systems makes it vulnerable to hacking.

Example: A healthcare provider stores patient records on an unencrypted server, which gets hacked, exposing sensitive medical information.

Inadequate Transparency

Not informing individuals about how their data is being used is another breach. Businesses must be transparent about data processing activities.

Example: A mobile app collects location data from users without clearly informing them or explaining how the data will be used.

Data Retention Issues

Keeping personal data longer than necessary can also breach GDPR. Businesses should only retain data for as long as it is needed for the specified purpose.

Example: A recruitment agency keeps personal details of job applicants for years after the position has been filled without any legitimate reason.

Ignoring Data Subject Rights

Failing to respect individuals' rights to access, correct, or delete their data is a serious breach. Businesses must respond promptly to such requests.

Example: An online service provider ignores requests from users to delete their personal data from the company's database.

2023-24 Case Studies of ICO Monetary Penalties Due to Breaches of GDPR

All cases where there was a monetary penalty are detailed on the ICO’s website. Here, we’ve broken the information down by the area in which the business is situated, along with the company name, fine amount and reasoning for the penalty.

Manchester Monetary Penalties for GDPR Breaches

Name of Business Penalty Issued Reason for Penalty
Fortis Insolvency Limited  £30,000 Fortis Insolvency Limited sent 558,354 direct marketing SMS messages without valid consent with 527,481 received by subscribers between 26 July 2020 and 26 July 2021 in contravention of regulation 22 of PECR.
RHAP Ltd  £65,000 RHAP Ltd made 15,288 marketing calls to individuals in breach of regulation 21 of PECR.
Ice Telecommunications Ltd  £80,000 Ice Telecommunications Ltd made 72,682 unsolicited marketing calls to businesses registered with the CTPS or TPS between 13 September 2021 and 31 January 2022.
L.A.D.H Limited  £50,000 L.A.D.H Limited sent 31,329 direct market text messages to individuals in breach of regulation 22 and 23 of PECR.

London Monetary Penalties for GDPR Breaches

Name of Business Penalty Issued Reason for Penalty
The Central Young Men’s Christian Association  £7,500 The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients.
Dr Telemarketing  £100,000 Dr Telemarketing made 80,240 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS.
Ministry of Defence  £350,000 The MOD sent emails inadvertently using the “To” field rather than the “BCC” field.
Poxell Ltd  £150,000 Poxell made 2,647,805 unsolicited direct marketing calls in breach of regulations 21 and 24 of PECR.
HelloFresh  £140,000 79 million spam emails and 1 million spam texts over a seven-month period
Digivo Media Limited  £50,000 Between 24 March 2021 and 7 September 2021 there were 415,041 texts delivered without valid consent.
MCP Online Ltd  £55,000 Making unsolicited financial services calls about pensions.
F12 Management Ltd  £200,000 F12 Management Ltd made 1,346,019 marketing calls to individuals in breach of regulation 21 of PECR.
Cover Appliance Ltd  £200,000 Cover Appliance Ltd made 511,499 marketing calls to individuals in breach of regulation 21 of PECR.
Join the Triboo Limited  £130,000 A confirmed total of 107 million direct marketing messages were sent by Join the Triboo Limited and from those messages 437,324 were received by distinct individuals.
TikTok Information Technologies UK Limited and TikTok Inc (TikTok) £12,700,000 A number of breaches of data protection law, including failing to use children’s personal data lawfully.
It's OK Limited £200,000 The company made 1,752,149 unsolicited calls for direct marketing purposes to subscribers who had been registered with the TPS for not less than 28 days, and who had not notified It's OK Limited that they did not object to receiving such calls, contrary to regulation 21 of PECR.

Lancaster Monetary Penalties for GDPR Breaches

Name of Business Penalty Issued Reason for Penalty
Crown Glazing Ltd £130,000 The organisation made 503,445 unsolicited calls to TPS registered numbers between 4 January to 11 November 2021.
Simply Connecting Ltd £40,000 Simply Connecting Ltd sent 441,830 direct marketing text messages to individuals in breach of regulation 22 of PECR.
Pinnacle Life Limited £80,000 The company made 47,998 unsolicited calls to individuals on TPS attempting to sell life insurance.

Cardiff Monetary Penalties for GDPR Breaches

Name of Business Penalty Issued Reason for Penalty
Outsource Strategies Ltd  £240,000 Outsource Strategies Ltd made 1,346,503 unwanted marketing calls between 11 February 2021 and 22 March 2022 to numbers registered with the TPS.
House Hold Appliances 247 Ltd  £55,000 House Hold Appliances 247 Ltd made 19,069 marketing calls to individuals in breach of regulation 21 of PECR.
This Is The Big Deal Limited  £30,000 This Is The Big Deal Limited sent or instigated the sending of 41,417,889 unsolicited direct marketing messages.

Bournemouth Monetary Penalties for GDPR Breaches

Name of Business Penalty Issued Reason for Penalty
Skean Homes Ltd  £100,000 Skean instigated 614,342 unsolicited direct marketing calls in breach of regulations 21 and 24 of PECR.
SGS Home Protect Ltd  £70,000 SGS Home Protect Ltd made 24,214 marketing calls to individuals in breach of regulation 21 of PECR.

Berkshire Monetary Penalties for GDPR Breaches

Name of Business Penalty Issued Reason for Penalty
Argentum Data Solutions Ltd  £65,000 2,330,423 SMS sent without consent

What to do if you fall victim to a breach of GDPR

If people in the UK have fallen victim to a data breach or are receiving unwanted marketing calls without their consent, they have several options for addressing these issues:

Steps to take if you are a victim of a data breach

  1. Contact the Organisation: Start by contacting the organisation responsible for the breach to understand what data was affected and what steps they are taking to address the breach.
  2. Monitor Your Accounts: Keep a close watch on your financial accounts, emails, and other personal information for any suspicious activity. Consider changing passwords and enabling two-factor authentication.
  3. Report to the ICO: If you believe your data rights have been violated, you can report the breach to the ICO. The ICO can investigate and take action against organisations that fail to comply with data protection laws.
  4. How to Report: Visit the ICO’s website and use their online reporting tool, or contact them via phone or email to make a complaint.
  5. Seek Legal Advice: If you suffer financial or emotional harm due to the breach, you might consider seeking legal advice to explore the possibility of compensation.

Steps to take against unwanted marketing calls

  1. Register with the Telephone Preference Service (TPS): Registering your phone number with the TPS can help reduce unsolicited marketing calls. It is a free service, and organisations are legally required to avoid calling numbers listed on the TPS.
  2. How to Register: Visit the TPS website or call their registration line to add your number.
  3. Contact the Organisation: If you know the organisation making the calls, contact them directly and request that they stop calling you. By law, they must respect your request.
  4. Report to the ICO: If the calls persist, you can report the issue to the ICO. The ICO can take action against companies that make unsolicited marketing calls without consent.
  5. How to Report: Use the ICO’s online reporting tool for nuisance calls and messages.
  6. Use Call-Blocking Technology: Many smartphones and telecom providers offer call-blocking features or services. Utilise these tools to block unwanted numbers.

How can Hayes Connor help?

If your personal data has been compromised as a result of security failings by an organisation, you may be entitled to claim compensation.

At Hayes Connor Solicitors, we have significant expertise supporting clients who’ve had their data exposed due to data protection negligence. We can support to claim for privacy loss, distress, and financial losses.

To discuss your claim today, get in touch with our data protection solicitors at Hayes Connor. You can call us on 0330 041 5139 or fill in our data breach claim form and we will get back to you.