Editorial

Privacy Enforcement in the UK: Keeping abreast of the trends

In this third blog in PwC UK’s ICO enforcement trends series, PwC looks at the statistics from the second quarter of 2023 and how these impact the overall trend figures.

Posted 3 October 2023 by Christine Horton

In the UK, the Information Commissioner’s Office (‘ICO’) is the regulator responsible for enforcing laws relating to privacy and information rights. The ICO is empowered to investigate and to bring enforcement action against organisations, and individuals, for breaches of those laws namely the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (‘PECR’).

PwC has compiled a database of the nature, volume and size of ICO enforcement activity and provides quarterly articles summarising key trends and developments. In publishing these trends we’d like to repeat the UK Information Commissioner, John Edwards’ own words: “Fines are only one of a number of enforcement tools available to us… Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might.”

If you’d like to find out more about PwC’s Data Protection team and how they can support your business in complying with UK Privacy Laws please contact Chris Cartmell or Orla Middlemiss, whose details can be found at the bottom of this article.

Key enforcement trends April 2023 – June 2023

  • The ICO issued 7 Monetary Penalty Notices, one of which was for £12,700,000, this is the third largest fine the ICO has issued in GDPR history. The fine was imposed for a number of data protection breaches including processing the personal data of up to 1.4 million children in the UK under the age of 13 without parental consent.
  • Public sector Reprimands continue to steadily increase faster than in the private sector. The majority of Reprimands issued so far have been against public bodies, including health, social care, central government and policing establishments. This reflects the ICO’s revised approach to public sector enforcement that the Commissioner announced in June 2022, which will see the ICO ‘reduce the impact of fines on the public sector’.
  • Beyond the GDPR, the ICO has renewed its focus on regulation of public sector compliance with the Freedom of Information (“FOI”) Act. FOI requests are requests for information made by individuals to public authorities. In April, the ICO launched the third element of its FOI toolkit, how bodies can deal with vexatious requests for information. The ICO also published statistics on its most recent FOI enforcement action, which has since more enforcement action taken since August 2022 alone than since the FOI Act was introduced in 2005.
  • Most ICO enforcement action continues to be for breaches of PECR as a result of companies unlawfully targeting individuals with electronic marketing. In Q2, three marketing sector companies and two utilities companies were found in breach of PECR, with cumulative fines of £534,000. It is likely that the size of these fines will rise under the new Data Protection and Digital Information Bill No. 2., when it comes into force (which is anticipated to be early next year). To support businesses, the ICO released a suite of guidance specifically targeted on direct marketing to try and quell the volume of breaches in this space.

Enforcement action

Associate
Data Protection Legal – PwC UK
saehaan.a.memon
Orla Middlemiss,
Manager
Data Protection Legal – PwC UK
orla.middlemiss@pwc.com
Chris Cartmell, Director
Data Protection Legal – PwC UK
chris.cartmell@pwc.com
Event Logo

If you are interested in this article, why not register to attend our Think Digital Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now