In the UK, the Information Commissioner’s Office (‘ICO’) is the regulator responsible for enforcing laws relating to privacy and information rights. The ICO is empowered to investigate and to bring enforcement action against organisations, and individuals, for breaches of those laws namely the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
The threat of more severe regulatory action (see table below) sparked a flurry of activity by businesses in the run up to the GDPR coming into force. However, nearly five years on, what can we learn from the ICO’s approach to regulatory enforcement post-GDPR and what are the infringements that result in the ICO taking enforcement action? PwC has compiled a database of the nature, volume and size of ICO enforcement activity since 2019 (when the first GDPR enforcement powers were used) to find out.
We will be publishing an ‘ICO Enforcement Trends’ update on a quarterly basis and you will be able to access them here on THINK Digital Partners.
In publishing these trends we’d like to repeat the UK Information Commissioner, John Edwards’ own words: “Fines are only one of a number of enforcement tools available to us. We need to be regulating for outcomes, not outputs. The number or quantum of fines is not the measure of our success or failure, nor of our impact. Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might. That’s my regulatory philosophy, and I’m sticking to it.”
If you’d like to find out more about PwC’s Data Protection team and how they can support your business in complying with UK Privacy Laws please contact Fedelma Good or Orla Middlemiss, whose details can be found at the bottom of this article.
If you liked this content…
Types of enforcement action
Whilst the ICO receives tens of thousands of complaints and concerns every year, it reserves its corrective enforcement powers for the most serious data breaches. The below summarises different types of enforcement action that the ICO can take.
| Enforcement action | Description |
| Reprimands (published since December 2022) | A formal letter stating that an organisation has not complied with the legislation. It is often accompanied by recommended actions for an organisation to take. Reprimands are usually reserved for less serious infringements. They are designed to act as deterrents and have a negative reputational impact, but they do not legally compel an organisation to take the recommended actions. |
| Enforcement Notices | Usually reserved for more serious infringements, they either require an organisation to take, or to refrain from taking, specified steps. Enforcement notices are likely to be issued in circumstances where an organisation has failed to take appropriate actions to comply since the original data breach. Failure to comply with an enforcement notice is a criminal offence. |
| Monetary Penalty Notices (MPN) | The ICO has the power to issue a monetary penalty / fine of up to: £500,000 for non-compliance with PECR; £17.5million, or 4% of an organisation’s total worldwide annual turnover, whichever is higher, for non-compliance with the GDPR. |
| Prosecutions | The ICO can prosecute criminal offences under the relevant legislation where it is deemed to be in the public interest. Prosecutions can be brought against private individuals as well as organisations. Under the GDPR prosecutions can be brought for: Unlawfully obtaining personal data; Re-identification of de-identified personal data; Alteration of personal data to prevent disclosure to individuals. |
The ICO publishes its enforcement actions on its website and in a surprising move has recently also started publishing details of the complaints it receives.
Key enforcement trends post-GDPR
- Breaches of direct marketing rules consistently attract the most enforcement action. 87 out of the 126 enforcement actions taken by the ICO in the period between 1 Jan 2019 and 31 Dec 2022 were for breaches of direct marketingrules under PECR. The vast majority of these breaches related to unsolicited and nuisance calls, text messages and emails sent to individuals. Aggravating factors, which impacted the value of the MPNs issued, included deliberately targeting vulnerable groups, using pressure tactics on calls, and non-compliance with ICO investigations.
- PECR fines could soon match those in place for GDPR: The UK Data Protection and Digital Information Bill includes provisions for the maximum fines for PECR breaches to be raised in line with GDPR: £17.5 million or 4% of global annual turnover.
- There has been a steady increase in the volume of enforcement action being taken for breaches of the GDPR. Whilst only accounting for 19% of all enforcement action in 2022, this could be an indication that the ICO is becoming more comfortable with using its powers under the GDPR and that they will not be reserved solely for headline grabbing breaches by household names.The vast majority of action is taken against private companies. 87% of the incidents that have resulted in either an enforcement notice or MPN since 1 Jan 2019 have been within the private sector. This is a trend that we believe is likely to continue, with John Edwards, recently announcing that, as part of a ‘new approach to working more effectively with public authorities,’ the ICO would be using its ‘discretion’ to reduce the amount of MPNs on the public sector as ‘large fines on their own may not be as effective a deterrent on the public sector.’
- The ICO remains one of the most active privacy regulators in Europe, but the overall size of MPNs / fines remains moderate compared with its peers. In 2022, the ICO issued 3 seven-figure MPNs to organisations for breaches of GDPR. The size of fines depends on a variety of factors including: the number of data subjects/individuals impacted by the breach, whether the organisation has already taken remedial measures following the breach, the size of the organisation and whether the breach was a one-off incident or ongoing.
Enforcement action taken by the ICO in the period 1 January 2019 – 31 December 2022
