UK GDPR Fines: Where does the money go?

EU GDPR and UK GDPR were brought in to protect people’s data rights. With protection law or protection authority, there are fines and maximum penalties for breaches. With the biggest fines being issued, here we break down where that money goes.

There have been both record-breaking fines including Google’s €50 million GDPR violation in France, and fines that have been reduced, like the recent British Airways data breach.

Both raise the question: who receives the money from these fines. Here we show you what happens to fines issued by regulators and fines as a result of legal cases. 

What happens to regulator issued fines?

As we’ve talked about a high level of fine. One of which is the £20 Million fine to British Airways for their data breach. For this, we’ll focus on GDPR (UK) and their regulatory body, the Information Commissioner’s Office (ICO).

There were severe breaches from British Airways (BA), after it had failed to protect over 400,000 of their customers. The ICO found BA had been “processing a significant amount of personal data without adequate security measures in place.” That means there was a lack of ornisational measures to stop 

Not only did BA get a significant amount of reputational damage, but they also had to pay the fine. Though it may seem like a huge fine, keep in mind that there were 400,000 customers with their data breached and that BA had a “cyber-attack during 2018, which it did not detect for more than two months.” Yeesh.

Where does the £200m GDPR (UK) fine go? 

Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO ( Source: ICO The Consolidated Fund is the Government’s general bank account at the Bank of England. Payments. This fund was established in 1787 to be “one fund into which shall flow every stream of public revenue and from which shall come the supply for every service”. This means fines fund all public services, just like tax revenue. You can see the Government’s Consolidated Fund breakdown for 2018-2019 here.

Most member states have the same system, where the fine is brought back into the community.

The ICO is exploring options that part of the fine income is to cover the costs in defending its decisions including court costs.

What happens to fines as a result of a court case?

In court cases, if groups or individuals have been significantly impacted in terms of their rights, and have suffered damage and distress, the judge may fine the company involved and issue these funds as compensation to those affected.

It will be up to the judge to decide on the amount of compensation, and whether it will be issued to the individual or split if it is a group court case. They also will decide how these funds will be accessed, for example individuals may have to claim the funds using legal support or they may receive a share of the compensation directly. Typically the compensation will be issued less legal costs, which can add up if the case is particularly complex.

Courts will enforce the judgement if the organisation refuses or is unable to pay, and facilitate the right to appeal which may affect the amount of the fine issued. 

You can see this in the Equifax $US700m fine, in which a maximum of $425m will go to consumer losses. This is $2.89 if just divided per individual whose data was breached.