ICO notifies multi-million pound fines for data breaches under the GDPR

The UK's data privacy regulator, the ICO, has started issuing notices of intention to fine data controllers under GDPR for data breaches, with two significant fines announced in the last week.

The maximum fine the ICO can impose for a breach of data protection laws increased under GDPR from £500k under the Data Protection Act 1998 to €20m or 4% of global annual turnover, whichever is greater. GDPR also introduced stronger data breach reporting and notification requirements.

The ICO has now issued two notices of intention to fine in respect of some high profile data breaches which were notified after GDPR came into effect. The data controllers receiving these notices have been given time to make representations to the Commissioner, who will consider these before making a final decision.

For more on the actions of the ICO, head over to our sister blog technology law update.