ICO hails transformative year as average fine trebles

The Information Commissioner’s Office (ICO) has hailed a transformative period for its work over the past 12 months, as it publishes its annual report for 2019/20. The period saw it handle 38,514 data protection complaints, close 39,860 data protection cases (up 15% year-on-year) and receive 6,367 freedom of information complaint cases.

After conducting more than 2,100 different investigations, the ICO took regulatory action 236 times in response to various breaches of data protection regulations during the 12 months to 31 March 2020. These included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines – including two multimillion-pound fines levied under the General Data Protection Regulation (GDPR) rules, against BA and Marriott.

“We have seen a transformative period in our digital history, with privacy established as a mainstream concern, and with complex societal conversations increasingly asking data protection questions,” said information commissioner Elizabeth Denham.

“This report shows the ICO has been at the centre of those discussions, from how facial recognition technology is used to how we protect children online.”

According to statistics compiled by RPC, a City of London-based law firm, the average fine issued by the ICO has trebled from £73,645 in 2016/17 to £216,000 in the past year (with the BA and Marriott fines not included in this because they have not yet been formally enforced), suggesting the regulator is getting much tougher on violators.

RPC partner Richard Breavington said: “The average value of fines has increased substantially in the past couple of years. This suggests that the ICO is being selective about its enforcement targets. However, this new wave of blockbuster fines that the ICO has said it plans to impose shows that pressure on businesses is only likely to increase.”

Breavington noted the temporary relaxation of the ICO’s approach to regulation during the Covid-19 pandemic, but said it was still critical that organisations took all possible measures to remain in compliance with data protection law.

“Although many businesses now have robust systems in the workplace to protect against hackers, some might not have the same measures in place to protect against staff working from home,” he said. “In addition, there is nobody on the ground to enforce basic protocols to protect against hacking. The ICO has indicated that it will be understanding during the Covid-19 crisis, but obviously it is preferable to avoid being in a breach situation to start with, where possible.”

Although the ICO’s report barely reflects the impact of Covid-19 because of the period it covers, which ended only a week after the UK went into lockdown, Denham also acknowledged the deeply-felt impact of the pandemic on its work.

“The digital evolution of the past decade has accelerated at a dizzying speed in the past few months,” she said. “Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family. But the law has not changed, and the ICO continues to be a proportionate and practical regulator.”

Elsewhere, the ICO report noted its work on the publication of the Age Appropriate Design Code in January, its intervention in the High Court case on the use of facial recognition by South Wales Police, and its ongoing work to produce guidance for businesses and organisations on what trouble lies ahead for data protection, and free movement of data, at the end of the Brexit transition period.