On 30 May 2019, the United Kingdom’s ICO released a report, “GDPR: One Year On”, discussing the impact of the GDPR and its associated learnings after one year following its implementation (the “Report”), which provides valuable insight into the enforcement practices, EU-wide cooperation, support functions, innovative practices and further growth plans of the ICO. The contents of the Report will likely prove useful in helping to map out the direction the ICO will take during the course of the coming year and beyond.

Enforcement. The following items are flagged as regulatory priorities for the ICO going forward:

  • cyber security;
  • AI, big data and machine learning;
  • web and cross-device tracking for marketing purposes;
  • children’s privacy;
  • use of surveillance and facial recognition technology;
  • data broking;
  • the use of personal information in political campaigns; and
  • freedom of information compliance.

In line with previous statements made by the Information Commissioner, that agency notes that enforcement policy is not merely a matter of large fines, but rather utilising all the tools available to the ICO (as outlined in the ICO’s Regulatory Action Policy). This includes enhanced powers of audit under the GDPR – involving the use of formal assessment notices – that serve to expand the toolbox, and the Report indicates that the ICO issued 15 assessment notices under the new regime in conjunction with investigations.

The GDPR has also resulted in a significant increase in reported personal data breaches, with the ICO being informed of approximately 14,000 reported incidents from 25 May 2018 to 1 May 2019, up from 3,300 in the preceding year beginning 1 April 2017. Interestingly, only 0.5% of those reported data breaches led the ICO to impose either an improvement plan or a civil monetary penalty upon the relevant organisations, although the ICO attributes this to businesses taking their GDPR obligations seriously. However, the ICO appears willing to take formal action when necessary, as reflected by this case mentioned in the Report:

As a result of administrative errors, an organisation disclosed personal data to incorrect recipients. Our investigation determined that whilst this was not a systemic failing, it nevertheless demonstrated that established policies and procedures were not always being followed. The organisation was therefore issued with a reprimand to take certain steps to improve compliance with the GDPR, including ensuring that all staff attended mandatory training; that policies and procedures be enforced and reiterated to staff on a regular basis; and that contact details be checked on all correspondence.”

The Report suggests that the new regime has had an appreciable effect on the number of concerns raised by the public to the ICO – up from 21,000 between 2017-2018 to 41,000 from 25 May 2018 to 1 May 2019, with subject access requests continuing to be the most common category of complaint. The Report identified the health sector as being responsible for a higher number of breach reports and data protection concerns, accounting for 16% and 7%, respectively.

Cooperation. The Report also highlights the significant proportion of the work the ICO does in collaboration with other data protection authorities, indicating that the ICO received 23% (roughly 55,000) of the 240,000 data protection complaints, data breaches, proactive investigations or other similar matters across the EU. The Report claims that the UK is currently the lead supervisory authority on 93 EU cross-border cases; with European Data Protection Board reporting a total of 446 such cross-border cases across the past year, this would mean that the ICO is also leading on approximately 21% of such cross-border matters.

Further demonstrating strong links with other EU-based supervisory bodies, October 2018 saw the UK’s Information Commissioner elected as chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC).

Support. The Report reiterates the ICO’s commitment to support stakeholders through the provision of clear and comprehensive guidance on the law and to ensure that existing guidance is suitably updated. The ICO also continues to develop its statutory codes regarding (i) age-appropriate design code; (ii) data sharing; (iii) direct marketing; and (iv) journalism, to further assist in GDPR implementation.

Innovation. March 2019 saw the ICO open up the beta phase of its regulatory sandbox (the subject of further Covington blogs here and here), aiming to support organizations that are developing innovative products and services using personal data and to assist in their data protection compliance in these innovative areas.

In addition, 2018 saw the introduction of the ICO’s Research Grants Programme, aiming to “support independent, innovative research and solutions, focused on privacy and data protection issues”. Four organisations, including the Open Rights Group and Teeside University, were awarded grants in 2018. A further four organisations, including the PHG Foundation and Cardiff University received Phase 2 funding.

Growth. Across 2018/2019, the ICO headcount grew considerably – from 505 to over 700. This expansion is expected to continue with an anticipated headcount of 825 full-time staff by early 2020/2021 resulting in a near-doubling in size over the course of three years.

The fee income of the ICO has also seen a dramatic increase of 86% in 2018/2019, as compared to 2017/2018. This is due to the change in its funding model, involving an increase in annual data protection fee rates:

  • organisations with 10 or fewer staff and charities pay £40;
  • organisations with between 11 and 250 staff pay £60; and
  • organisations with over 250 staff now pay £2,900.

The ICO is committed to growing the number of organisations paying the fee and will “push for every single organisation required to pay the fee to do so”. As such, from November 2018 to the end of April 2019, the ICO issued over 3,800 notices of intent to fine for failure to pay the data protection fee and subsequently followed-up with over 300 final penalty notices across the same period, recovering nearly £100,000 in fees and penalties.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.