URM Analyses ICO’s Enforcement Actions Since the GDPR was Introduced in 2018

Introduction

For the last 2 years, URM has published blogs analysing fines imposed by the Information Commissioner’s Office (ICO) under the GDPR for the calendar years 2022 and 2023.  In this blog, we are extending our analysis and taking a longer view to look at the total number of enforcement actions (of all kinds – not just fines, but enforcement notices, reprimands and warnings) taken by the ICO since the GDPR came into force (i.e., over five and a half years ago).  As part of our analysis, we have broken down the enforcement ‘instances’ according to the article number of the GDPR provision breached.  In other words, we identify which articles are the most commonly violated, and conversely which have provoked little or no regulatory attention to date.

The results, we believe, make for fascinating (perhaps even surprising) reading!

An interesting question – and comprehensive answer

First of all, the methodology.  We sourced the majority of the data used in this blog by submitting a Freedom of Information (FOI) request in 2023 to the ICO for this information.  While the regulator does publish on its website a list of cases where it has taken enforcement action, these only go back two years and are not organised by article or articles breached. The ICO responded to this FOI request providing all the information sought, and more, in three detail-packed Excel documents.  We then carried out a manual check of the ICO’s ‘Actions we’ve taken: Enforcement Action’ pages on its website to note the actions taken by the organisation since its FOI request response.

The top three most breached GDPR/UK GDPR articles

So, which of the GDPR Articles resulted in the most instances of ICO enforcement action in the first five and a half years of the Regulation being operated?  Well, we first actually need to set aside the absolute highest scorer, Article 5 (with 113 recorded enforcement actions for breach), because it is a bit of a ‘statement of the obvious’:  Article 5 of the GDPR contains the seven ‘principles’ of data protection, so almost any breach of the other articles of the Regulation will also, automatically, be a breach of one or more of the principles (and therefore of Art. 5).  You would, therefore, expect nearly every enforcement action to namecheck at least one of the principles as having been infringed.

‍

‍

‍

So, in reverse order (and discounting Article 5) the third most breached article was Article 24 – which attracted action by the ICO on 13 occasions (including 1 fine).  Article 24 is one of the key provisions setting out the obligations of controllers under the GDPR.  It requires the controller to implement appropriate technical and organisational measures (sometimes shortened to ‘TOMs’) to ensure they can demonstrate compliance with the Regulation including, specifically, proportionate ‘data protection policies’ (note the plural).

At No. 2 were some of the data subject rights articles (specifically Arts. 12 to 16 – the rights to be informed, the subject access right and the right to rectification), breaches of which between them incurred a total of 46 instances of enforcement action, including 5 fines.  This perhaps should not come as a surprise – the GDPR has always been primarily about protecting people’s rights, so it is encouraging to learn that the regulator is taking frequent action to bring organisations into line that are falling down in respect of their duties to individual data subjects.

And the most breached Article?  Incurring 48 instances of enforcement (with 3 fines among them), and representing nearly a fifth of the overall total, it was Article 32 that topped the breaches.  Article 32 resembles Article 24, in that it requires all organisations to have in place appropriate technical and organisational measures, but Article 32 specifically mandates using TOMs to preserve the security of any personal data they process, proportionate to the risks involved.  Breaches of Article 32 will often come to light as a consequence of an organisation suffering an accidental or deliberate (e.g. phishing, hacking or some other form of cyberattack) data security breach.  There have, of course, been several well-publicised and serious examples of such breaches in the UK over recent years.

‍

‍

Just outside the medals, in fourth place, were Arts. 33 and 34 (the personal data breach notification and communication Articles), with 8 enforcements (including 1 fine) between them.  This again is reassuring news – showing that the ICO is actively monitoring whether controllers are discharging their responsibilities to notify non-trivial data breaches to the regulator, and to inform the affected data subjects themselves about high-risk breaches involving their data.  It is also encouraging in the sense that the ICO is not finding itself having to take action so often as to suggest that these duties are being routinely ignored by controllers.

‍

GDPR vs. PECR

One of the surprising revelations from both our February 2023 and January 2024 blogs was that the substantial majority of fines imposed by the ICO in 2022 and 2023 were for organisations breaking the Privacy and Electronic Communications Regulations (PECR), rather than the GDPR/UK GDPR.  We at URM thought it might be useful to identify whether this disparity persisted throughout all the ICO’s enforcement activities, not just the monetary penalties it issued, and the short answer to this is no, it didn’t.  From May 2018 to December 2023, the regulator took 225 instances of enforcement action (including fines) for breaches of PECR, as opposed to 251 for infringements of GDPR – an almost equal number.  The ICO clearly considers fining to be generally a more appropriate and effective sanction for PECR breaches than for GDPR infringements.  For the record, there were 28 GDPR-related fines imposed in the period, making monetary penalties only 11.15% of the total GDPR enforcements – which should finally put to rest any previous fears that the introduction of GDPR may tempt the ICO to become ‘trigger-happy’ with its imposition of fines.

‍

‍

Unenforced articles  

However, some might say that even more noteworthy than the above stats were the GDPR Articles which did not lead to significant (or indeed any) enforcement intervention by the regulator.  For example, no enforcement action of any kind was deemed necessary for any breaches of five of the eight Chapter III data subject rights, including popular ones like the right to erasure (or ‘right to be forgotten’) and the right to object. Are we to assume that UK controllers perfectly handled all of the many, many thousands of these types of request received over the period? While it would be nice to think so, this seems slightly improbable.

Earlier, we looked at one of the Regulation’s key ‘controller responsibility’ provisions – Art. 24.  But what about the other just as (or more) important ones? For example, Article 25, under which organisations should embed data protection by design and default, and Article 35, which requires mandatory data protection impact assessments (DPIAs) for some particularly risky types of processing – to what extent were these enforced?  Well, the ICO was, perhaps surprisingly, almost untroubled by breaches of these two Articles – with only 6 enforcements racked up for Art. 25 (5 reprimands and a warning, no fines) in more than five years, and only two (both reprimands) delivered for breaches of Art. 35.  Given that carrying out a DPIA is an effective way for controllers to identify the appropriate TOMs they should be applying to their processing, the fact that two of the top three causes of the ICO taking action involved organisations having inadequate TOMs (under Arts. 24 and 32) suggests that many of the relevant DPIAs in these cases were either not performed or were defective.  So, the numerous enforcements for breaches of Arts. 24 and 32 probably reflected a sizeable element of failure to comply with Art. 35 as well, but the latter was not separately punished by the regulator.

But perhaps the most striking example of a basic ‘infrastructure’ provision of the GDPR which has, apparently, gone unenforced - garnering no enforcement activity at all from the ICO – is Article 30.  Under Art. 30, the vast majority of organisations which use personal data need to keep an overarching record of processing activities (ROPA) which delineates, in quite granular detail, all the processes that the organisation operates which involve personal data.  Although time-consuming to create, once it is done an organisation’s ROPA makes every other aspect of its GDPR compliance programme easier to achieve.  As such, it is no exaggeration to describe the Article 30 ROPA as the keystone of an organisation’s compliance effort.  So, what might be the takeaways from the apparent non-enforcement of Art. 30 since May 2018?  

Firstly, most of the ICO’s enforcement action arises from either complaints made to it by members of the public or organisations, or from the regulator’s investigation of breaches of personal data which are reported to it under the GDPR’s data breach notification rules.  Since the ROPA is not a public-facing document (it does not have to be displayed anywhere, such as on an organisation’s website, just passed to the ICO if it asks to see it) it will rarely itself be the subject of a complaint.  And, if an absent or deficient ROPA is identified by the regulator as part of its investigation of a breach, then any consequent enforcement action will be based on contravention of a more relevant provision of the Regulation – such as Art. 32 or Art. 5 – i.e. the breach of Art. 30 did not directly ‘cause’ the data breach in the same way that the breach of the other article or articles did.

Secondly, substandard or missing ROPAs are more likely to come to the attention of the ICO when it is conducting audits (independent assessments of compliance with data protection legislation) of organisations.  In the year April 2022-2023 the ICO carried out 71 audits, both compulsory and ’consensual’ (where the organisation voluntarily requests the audit).  Instances of non-compliance discovered during audits do not generally result in enforcement action, depending on the seriousness of the infringement.  And if any organisation undergoing an audit is found by the regulator already to have a properly completed ROPA in place, then the ICO will probably take note of that fact and give the audited entity some recognition for it.

What does the future hold?

Our analysis has thrown up some interesting findings, but one natural question many of you will be asking is whether this review of the last five and a half years provides any clues to future enforcement actions. A significant clue where the focus would be for 2024 was provided in  a speech made by John Edwards at the International Association of Privacy Professionals (IAPP) on 28 February 2024.  Here, the Information Commissioner indicated that the ICO’s regulatory efforts for this year would be focused on four key areas:

• Children’s privacy, especially on the internet
• The fair use of advertising technology (‘adtech’), specifically cookies on websites;
• Artificial Intelligence (the topic everyone has been talking about, not just in data protection circles, for the past year)
• The processing of biometric data by such technologies as fingerprint authentication, facial recognition software and internet image ‘scraping’ tools.  (see URM’s blog on Facial Recognition Technology and Data Protection Compliance)

These priorities will almost certainly inform the ICO’s enforcement programme over the coming months (and in the case of cookies compliance already has) and probably will result in a shift towards more instances of enforcement action which reflect these issues – i.e., for breaches of: Article 8 (Children’s Consent for Information Society Services); Art. 7 (Consent), PECR Reg. 6 (Cookies) and Art. 9 (Special Category Personal Data - of which biometric data, if it is used to identify a particular person, is a type).  At the same time, we may well see the ICO responding to other emerging and evolving developments in the marketplace and where a decision is made to apply stricter controls and enforcement.