New data reveals firms which received GDPR fines during lockdown

Data Privacy

A Freedom of Information request has revealed that Ticketmaster, British Airways and Marriott were among businesses in the UK which were fined for breaching GDPR regulations between March 2020 and January 2021. 

Data obtained through the Freedom of Information (FOI) request by confidential shredding and records management company, Go Shred, show that only four penalty notices have been handed out to UK businesses for breach of GDPR/DPA 2018 regulations since the lockdown began. 

According to the information provided by the Information Commissioner’s Office (ICO) in response to the FOI request, between 23 March 2020 when the first UK lockdown was imposed and 13 January 2021, Ticketmaster, Marriott and British Airways were all fined for breaches of GDPR/DPA 2018 legislation. 

In addition to these, one further penalty notice was issued to Doorstop Dispensaries, relating to a breach of the GDPR but this fell just outside the timescales requested in the FOI request. These four incidents represent all of the fines issued by the ICO under the GDPR between 23rd March and January 2021. 

Investigations by the ICO into potential breaches of Data Protection legislation originate both from complaints made by members of the public and from reports made to the ICO by data controllers.

Whilst the ICO is yet to release the annual report for the number of complaints received in the whole of 2020, taking a look at data from March 2019 to March 2020, data protection complaints numbered 39,860, a 15% increase on the previous year.

The number of personal data breaches reported and completed by the ICO increased by 3% to 12,789 in 2019/20 compared to 12,385 in 2018/192. The sectors generating the most personal data breaches were health (19.66%), general business (17.16%) and education (14.11%). 

Looking back at breaches and fines handed out since the GDPR regulations came into action in May 2018, the UK is in the top four countries in Europe in terms of the total value of GDPR fines imposed. Italy leads the way at £69,328,716, closely followed by Germany £69,085,000, France £54,436,300 and the UK £44,221,0003. 

This new study from Go Shred comes after a recent survey from the brand revealed that 66% of homeworkers in the UK have printed work-related documents since they began working from home, potentially breaching GDPR regulations by not securing confidential information. The survey revealed 20% have printed confidential employee information including payroll, addresses and medical information.

Over a third (36%) told Go Shred they are aware of the GDPR rules, so never print at home and a further 19% admit they have some knowledge of the regulations but would like to know more. However, 12% of those polled admit they have no knowledge of the regulations, with 9% saying their employer has not reinforced rules around GDPR and sensitive information while they’ve been working from home. 

Says Mike Cluskey, Managing Director at Go Shred:

“From accessing work-related emails on personal devices to correctly disposing of confidential print outs, remaining GDPR compliant when working from home can be tricky but it’s essential to avoid penalties and potential data breaches.

“Our top tips to avoid any breaches would be to only use approved devices, conduct internal training with your staff to make sure they are aware of their responsibilities, take extra care with print outs and secure any paper documents which might contain sensitive information.”

To find out more about the study, please visit: 


Chris Price
For latest tech stories go to