Series
Blogs
Series
Blogs
Discussions about the enforcement of the GDPR inevitably focus on fines, but they’re only part of the UK data regulator’s toolbox. We analyse exclusive data about how the Information Commissioner’s Office uses its powers – and how the UK GDPR enforcement works under the waterline.
The starting point for most investigations by the Information Commissioner’s Office (ICO) will be to gather information to determine if a breach has occurred, and if further sanctions are warranted.
Details published by the office of Information Commissioner Elizabeth Denham under freedom of information laws suggest a relatively limited use of her investigative powers under the UK GDPR – although in many cases controllers may have provided information voluntarily without the need for formal compulsion.
From 1 January to 31 December 2020:
Where a breach of the UK GDPR occurs, the Information Commissioner can use a ‘heavyweight’ sanction such as a fine and enforcement notice, details of which are published on her website. However, she has also a range of other powers, such as the power to issue a reprimand or a warning; both of those powers arise under the UK GDPR, and not under the Data Protection Act 2018.
Again, details recently published by the ICO suggest that apart from the headline-grabbing fines issued in October, it was also a relatively quiet year for formal sanctions. From 1 January to 31 December 2020:
These figures just relate to the UK GDPR. The Information Commissioner also enforces the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), where she has an established and well-oiled enforcement team that issued 12 fines for a total of £1.8million and served a further four enforcement notices. These fines were primarily for the sending of unsolicited emails or SMSs, or calling individuals registered on the Telephone Preference Service.
Similarly, the Information Commissioner also runs a programme of consensual audits with over 50 such audits completed in 2020, predominantly from the public sector. Finally, the Information Commissioner also issued around a thousand fines a year to companies that have not paid their data protection notification fees.
The Information Commissioner receives around 40,000 complaints a year, and carries out a further 2,000 investigations on her own initiative. At first sight, the figures set out above suggest the chance of any single complaint or investigation resulting in formal sanction is limited.
But this may be wishful thinking, and 2020 could be the low watermark for formal enforcement action. This is largely because much of the Information Commissioner’s enforcement capacity was tied up in her investigation into the data broking industry and by trying to push through the first two significant fines under the GDPR – which the relevant controllers hotly contested due to the amount of the threatened fines. Now that enforcement is complete, the ICO will have a better understanding of the fining process under the GDPR and the time to turn to new targets.
Whether this will result in a small number of blockbuster fines or a wider spectrum of less spectacular sanctions remains to be seen.
By Greg Palmer
This article was first published in Global Data Review, available here.
Reprimands: 1 January – 31 December 2020
|
Date |
Sector |
Reason |
|
January 2020 |
Education and childcare |
Data protection principles (Art 5, UK GDPR). |
|
January 2020 |
Justice |
Accuracy and security (s. 48 and 40, DPA 2018) |
|
January 2020 |
Health |
Data protection principles (Art 5, UK GDPR). |
|
March 2020 |
Education and childcare |
Data protection principles (Art 5, UK GDPR). |
|
June 2020 |
Health |
Fair and lawful (s. 35, DPA 2018). |
|
December 2020 |
Education and childcare |
Privacy by design (Art 25, UK GDPR). |
|
December 2020 |
Education and childcare |
Subject access requests (Art 15, UK GDPR). |