On 30 May 2019, the United Kingdom’s ICO released a report, “GDPR: One Year On”, discussing the impact of the GDPR and its associated learnings after one year following its implementation (the “Report”), which provides valuable insight into the enforcement practices, EU-wide cooperation, support functions, innovative practices and further growth plans of the ICO. The contents of the Report will likely prove useful in helping to map out the direction the ICO will take during the course of the coming year and beyond.
Enforcement. The following items are flagged as regulatory priorities for the ICO going forward:
- cyber security;
- AI, big data and machine learning;
- web and cross-device tracking for marketing purposes;
- children’s privacy;
- use of surveillance and facial recognition technology;
- data broking;
- the use of personal information in political campaigns; and
- freedom of information compliance.
In line with previous statements made by the Information Commissioner, that agency notes that enforcement policy is not merely a matter of large fines, but rather utilising all the tools available to the ICO (as outlined in the ICO’s Regulatory Action Policy). This includes enhanced powers of audit under the GDPR – involving the use of formal assessment notices – that serve to expand the toolbox, and the Report indicates that the ICO issued 15 assessment notices under the new regime in conjunction with investigations.
The GDPR has also resulted in a significant increase in reported personal data breaches, with the ICO being informed of approximately 14,000 reported incidents from 25 May 2018 to 1 May 2019, up from 3,300 in the preceding year beginning 1 April 2017. Interestingly, only 0.5% of those reported data breaches led the ICO to impose either an improvement plan or a civil monetary penalty upon the relevant organisations, although the ICO attributes this to businesses taking their GDPR obligations seriously. However, the ICO appears willing to take formal action when necessary, as reflected by this case mentioned in the Report:
“As a result of administrative errors, an organisation disclosed personal data to incorrect recipients. Our investigation determined that whilst this was not a systemic failing, it nevertheless demonstrated that established policies and procedures were not always being followed. The organisation was therefore issued with a reprimand to take certain steps to improve compliance with the GDPR, including ensuring that all staff attended mandatory training; that policies and procedures be enforced and reiterated to staff on a regular basis; and that contact details be checked on all correspondence.”
The Report suggests that the new regime has had an appreciable effect on the number of concerns raised by the public to the ICO – up from 21,000 between 2017-2018 to 41,000 from 25 May 2018 to 1 May 2019, with subject access requests continuing to be the most common category of complaint. The Report identified the health sector as being responsible for a higher number of breach reports and data protection concerns, accounting for 16% and 7%, respectively.
Cooperation. The Report also highlights the significant proportion of the work the ICO does in collaboration with other data protection authorities, indicating that the ICO received 23% (roughly 55,000) of the 240,000 data protection complaints, data breaches, proactive investigations or other similar matters across the EU. The Report claims that the UK is currently the lead supervisory authority on 93 EU cross-border cases; with European Data Protection Board reporting a total of 446 such cross-border cases across the past year, this would mean that the ICO is also leading on approximately 21% of such cross-border matters.
Further demonstrating strong links with other EU-based supervisory bodies, October 2018 saw the UK’s Information Commissioner elected as chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC).
Support. The Report reiterates the ICO’s commitment to support stakeholders through the provision of clear and comprehensive guidance on the law and to ensure that existing guidance is suitably updated. The ICO also continues to develop its statutory codes regarding (i) age-appropriate design code; (ii) data sharing; (iii) direct marketing; and (iv) journalism, to further assist in GDPR implementation.
Innovation. March 2019 saw the ICO open up the beta phase of its regulatory sandbox (the subject of further Covington blogs here and here), aiming to support organizations that are developing innovative products and services using personal data and to assist in their data protection compliance in these innovative areas.
In addition, 2018 saw the introduction of the ICO’s Research Grants Programme, aiming to “support independent, innovative research and solutions, focused on privacy and data protection issues”. Four organisations, including the Open Rights Group and Teeside University, were awarded grants in 2018. A further four organisations, including the PHG Foundation and Cardiff University received Phase 2 funding.
Growth. Across 2018/2019, the ICO headcount grew considerably – from 505 to over 700. This expansion is expected to continue with an anticipated headcount of 825 full-time staff by early 2020/2021 resulting in a near-doubling in size over the course of three years.
The fee income of the ICO has also seen a dramatic increase of 86% in 2018/2019, as compared to 2017/2018. This is due to the change in its funding model, involving an increase in annual data protection fee rates:
- organisations with 10 or fewer staff and charities pay £40;
- organisations with between 11 and 250 staff pay £60; and
- organisations with over 250 staff now pay £2,900.
The ICO is committed to growing the number of organisations paying the fee and will “push for every single organisation required to pay the fee to do so”. As such, from November 2018 to the end of April 2019, the ICO issued over 3,800 notices of intent to fine for failure to pay the data protection fee and subsequently followed-up with over 300 final penalty notices across the same period, recovering nearly £100,000 in fees and penalties.