On 30 May 2019, the United Kingdom’s ICO released a report, “GDPR: One Year On”, discussing the impact of the GDPR and its associated learnings after one year following its implementation (the “Report”), which provides valuable insight into the enforcement practices, EU-wide cooperation, support functions, innovative practices and further growth plans of the ICO. The contents of the Report will likely prove useful in helping to map out the direction the ICO will take during the course of the coming year and beyond.

Enforcement. The following items are flagged as regulatory priorities for the ICO going forward:

  • cyber security;
  • AI, big data and machine learning;
  • web and cross-device tracking for marketing purposes;
  • children’s privacy;
  • use of surveillance and facial recognition technology;
  • data broking;
  • the use of personal information in political campaigns; and
  • freedom of information compliance.

In line with previous statements made by the Information Commissioner, that agency notes that enforcement policy is not merely a matter of large fines, but rather utilising all the tools available to the ICO (as outlined in the ICO’s Regulatory Action Policy). This includes enhanced powers of audit under the GDPR – involving the use of formal assessment notices – that serve to expand the toolbox, and the Report indicates that the ICO issued 15 assessment notices under the new regime in conjunction with investigations.

The GDPR has also resulted in a significant increase in reported personal data breaches, with the ICO being informed of approximately 14,000 reported incidents from 25 May 2018 to 1 May 2019, up from 3,300 in the preceding year beginning 1 April 2017. Interestingly, only 0.5% of those reported data breaches led the ICO to impose either an improvement plan or a civil monetary penalty upon the relevant organisations, although the ICO attributes this to businesses taking their GDPR obligations seriously. However, the ICO appears willing to take formal action when necessary, as reflected by this case mentioned in the Report:

As a result of administrative errors, an organisation disclosed personal data to incorrect recipients. Our investigation determined that whilst this was not a systemic failing, it nevertheless demonstrated that established policies and procedures were not always being followed. The organisation was therefore issued with a reprimand to take certain steps to improve compliance with the GDPR, including ensuring that all staff attended mandatory training; that policies and procedures be enforced and reiterated to staff on a regular basis; and that contact details be checked on all correspondence.”

The Report suggests that the new regime has had an appreciable effect on the number of concerns raised by the public to the ICO – up from 21,000 between 2017-2018 to 41,000 from 25 May 2018 to 1 May 2019, with subject access requests continuing to be the most common category of complaint. The Report identified the health sector as being responsible for a higher number of breach reports and data protection concerns, accounting for 16% and 7%, respectively.

Cooperation. The Report also highlights the significant proportion of the work the ICO does in collaboration with other data protection authorities, indicating that the ICO received 23% (roughly 55,000) of the 240,000 data protection complaints, data breaches, proactive investigations or other similar matters across the EU. The Report claims that the UK is currently the lead supervisory authority on 93 EU cross-border cases; with European Data Protection Board reporting a total of 446 such cross-border cases across the past year, this would mean that the ICO is also leading on approximately 21% of such cross-border matters.

Further demonstrating strong links with other EU-based supervisory bodies, October 2018 saw the UK’s Information Commissioner elected as chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC).

Support. The Report reiterates the ICO’s commitment to support stakeholders through the provision of clear and comprehensive guidance on the law and to ensure that existing guidance is suitably updated. The ICO also continues to develop its statutory codes regarding (i) age-appropriate design code; (ii) data sharing; (iii) direct marketing; and (iv) journalism, to further assist in GDPR implementation.

Innovation. March 2019 saw the ICO open up the beta phase of its regulatory sandbox (the subject of further Covington blogs here and here), aiming to support organizations that are developing innovative products and services using personal data and to assist in their data protection compliance in these innovative areas.

In addition, 2018 saw the introduction of the ICO’s Research Grants Programme, aiming to “support independent, innovative research and solutions, focused on privacy and data protection issues”. Four organisations, including the Open Rights Group and Teeside University, were awarded grants in 2018. A further four organisations, including the PHG Foundation and Cardiff University received Phase 2 funding.

Growth. Across 2018/2019, the ICO headcount grew considerably – from 505 to over 700. This expansion is expected to continue with an anticipated headcount of 825 full-time staff by early 2020/2021 resulting in a near-doubling in size over the course of three years.

The fee income of the ICO has also seen a dramatic increase of 86% in 2018/2019, as compared to 2017/2018. This is due to the change in its funding model, involving an increase in annual data protection fee rates:

  • organisations with 10 or fewer staff and charities pay £40;
  • organisations with between 11 and 250 staff pay £60; and
  • organisations with over 250 staff now pay £2,900.

The ICO is committed to growing the number of organisations paying the fee and will “push for every single organisation required to pay the fee to do so”. As such, from November 2018 to the end of April 2019, the ICO issued over 3,800 notices of intent to fine for failure to pay the data protection fee and subsequently followed-up with over 300 final penalty notices across the same period, recovering nearly £100,000 in fees and penalties.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.