UK: GDPR enforcement below the waterline

Discussions about the enforcement of the GDPR inevitably focus on fines, but they’re only part of the UK data regulator’s toolbox. We analyse exclusive data about how the Information Commissioner’s Office uses its powers – and how the UK GDPR enforcement works under the waterline.

Investigative powers

The starting point for most investigations by the Information Commissioner’s Office (ICO) will be to gather information to determine if a breach has occurred, and if further sanctions are warranted.

Details published by the office of Information Commissioner Elizabeth Denham under freedom of information laws suggest a relatively limited use of her investigative powers under the UK GDPR – although in many cases controllers may have provided information voluntarily without the need for formal compulsion.

From 1 January to 31 December 2020:

• Powers of Entry and Inspection: The Information Commissioner used her powers of entry and inspection on two occasions in February 2020. The warrants were issued in relation to an investigation into the motor industry for unlawful obtaining of personal data.
• Assessment notices: Only one assessment notice was issued in December 2020 against a central government department for general data breaches.
• Information notices: No information notices were served in 2020.

Sanctioning powers

Where a breach of the UK GDPR occurs, the Information Commissioner can use a ‘heavyweight’ sanction such as a fine and enforcement notice, details of which are published on her website. However, she has also a range of other powers, such as the power to issue a reprimand or a warning; both of those powers arise under the UK GDPR, and not under the Data Protection Act 2018.

Again, details recently published by the ICO suggest that apart from the headline-grabbing fines issued in October, it was also a relatively quiet year for formal sanctions. From 1 January to 31 December 2020:

• Warnings: The ICO issued no warnings under Article 58(2)(a) of the UK GDPR.
• Reprimands: The ICO issued a total of seven reprimands under Article 58(2)(b) of the UK GDPR. The full details are set out below, but they were predominantly issued to the justice and education sectors for a range of reasons, including failing to properly respond to subject access requests, security and data protection by design.
• Enforcement notices: One enforcement notice was issued under the GDPR in relation to data broking activities.
• Fines: The Information Commissioner issued three fines in 2020 to Marriott (£18.4 million), British Airways (£20 million) and Ticketmaster (£1.25 million). Two separate fines were issued under the old Data Protection Act 1998 to Cathay Pacific (£500,000) and DSG (£500,000). It is interesting to note that she has also confirmed that she issued no fresh Notices of Intent to fine in 2020, suggesting the pipeline for new monetary penalty notices might be running dry.

Other enforcement

These figures just relate to the UK GDPR. The Information Commissioner also enforces the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), where she has an established and well-oiled enforcement team that issued 12 fines for a total of £1.8million and served a further four enforcement notices. These fines were primarily for the sending of unsolicited emails or SMSs, or calling individuals registered on the Telephone Preference Service.

Similarly, the Information Commissioner also runs a programme of consensual audits with over 50 such audits completed in 2020, predominantly from the public sector. Finally, the Information Commissioner also issued around a thousand fines a year to companies that have not paid their data protection notification fees.

Looking forward

The Information Commissioner receives around 40,000 complaints a year, and carries out a further 2,000 investigations on her own initiative. At first sight, the figures set out above suggest the chance of any single complaint or investigation resulting in formal sanction is limited.

But this may be wishful thinking, and 2020 could be the low watermark for formal enforcement action. This is largely because much of the Information Commissioner’s enforcement capacity was tied up in her investigation into the data broking industry and by trying to push through the first two significant fines under the GDPR – which the relevant controllers hotly contested due to the amount of the threatened fines. Now that enforcement is complete, the ICO will have a better understanding of the fining process under the GDPR and the time to turn to new targets.

Whether this will result in a small number of blockbuster fines or a wider spectrum of less spectacular sanctions remains to be seen.

By Greg Palmer

This article was first published in Global Data Review, available here.

Reprimands: 1 January – 31 December 2020

Date	Sector	Reason
January 2020	Education and childcare	Data protection principles (Art 5, UK GDPR).
January 2020	Justice	Accuracy and security (s. 48 and 40, DPA 2018)
January 2020	Health	Data protection principles (Art 5, UK GDPR).
March 2020	Education and childcare	Data protection principles (Art 5, UK GDPR).
June 2020	Health	Fair and lawful (s. 35, DPA 2018).
December 2020	Education and childcare	Privacy by design (Art 25, UK GDPR).
December 2020	Education and childcare	Subject access requests (Art 15, UK GDPR).