GDPR: No fines yet issued by the ICO. How has the regulation performed in its first year?

Since the General Data Protection Regulation’s (GDPR) inception on 25 May 2018, the number of data breach notifications received by the Information Commissioner (ICO) has quadrupled – but the ICO is yet to issue any fines under GDPR.

A record breaking 14,072 breach notifications were made to the ICO between 25 May 2018 and the beginning of May this year. This is four times the number of notified data breaches recorded by the ICO for April 2017-2018, which was 3,311.

This sharp increase is partly due to the introduction of mandatory breach reporting for organisations that control personal data where a data breach is likely to “result in a risk for the rights and freedoms of individuals” under the new regime. These new breach reporting obligations enable the ICO to enforce GDPR and issue fines more effectively than in previous years.

The public have also submitted an unprecedented 41,054 complaints this year, almost doubling last year’s total. It suggests consumers are now more aware than ever before of the value of their personal data and their rights under GDPR, which includes their right to lodge a complaint with the ICO.

So far, more than 90 fines have been issued under GDPR totalling €55.96 million across Europe, including the biggest ever GDPR fine of €50 million issued by France’s CNIL to Google for failing to meet the new consent requirements under GDPR and to comply with its transparency and information obligations.

Despite these impressive notification figures, the increase in consumer awareness of GDPR, and ground breaking enforcement action taken by the ICO’s counterparts across Europe, no fine has been issued under GDPR rules in the UK.  However, a spokeswoman for the ICO has confirmed that the “first fines under the General Data Protection Regulation are due to be issued soon, once the necessary legal processes have been completed”.

Although it is not public knowledge which organisations will be on the receiving end of the ICO’s first fines, we suspect that the ICO will have focussed its attention on the most egregious breaches – for example, the hacking attack on British Airways’ systems which led to 244,000 customers’ payment details being stolen and put up for sale on the dark web.