The ICO’s annual report for 2018-19, published last week, provides a useful window into the regulator’s activity since the GDPR took effect last May. The headline message from the 114 pages is that the ICO is busier (and bigger) than ever. We have highlighted below five key areas that shine a light on what this has meant in practice over the last 12 months:
1. Personal data breach reports: with stricter reporting requirements under the GDPR, just under 14,000 were received, up from 3,300 in 2017/18. In 82% of cases, no further action was required by the ICO. Less than 1% of reports led to a monetary penalty but next year’s report will probably be more revealing in this respect, because many of the cases dealt with in 2018-19 relate to breaches under the Data Protection Act 1998. The provisional fines issued by the ICO in early July in the BA and Marriott cases are, at the very least, a reminder to keep data security practices and arrangements under close review (see our separate briefing here).
2. Data protection complaints: perhaps unsurprisingly given the coverage of the GDPR in the news and heightened awareness amongst individuals of their data protection rights, complaints to the ICO have almost doubled in the last year, from 21,019 in 2017-18 to 41,661 in 2018-19. The ICO redeployed (and increased) its resources to deal with this increased workload and managed to maintain its 99% ‘no more than six months to resolve’ target for dealing with complaints.
3. Nature of complaints: the reason for complaints has changed little since the GDPR took effect. By far the most common reason relates to “subject access” (as it has been for the last two years), accounting for around 40% of complaints. This was followed by “disclosure of data” (but some way behind on 16%). While the report does not drill down into the nature of these complaints, we take this to mean that the majority of complaints are about data subject access requests not answered to the data subject’s satisfaction, or the data subject being disappointed (or worse) about how their personal data has been shared, and/or with whom.
4. PECR complaints: complaints relating to the Privacy and Electronic Communications Regulations (PECR) were up since the GDPR took effect in May 2018. The single largest category was ‘telesales calls with recorded voices’ (around 65,000 complaints out of a total of approximately 140,000). The ICO issued 23 monetary penalties for breaches of PECR in 2018-19, totalling just over £2 million. (For the time being, the maximum PECR fine remains £500,000 rather than the higher GDPR levels).
5. ICO resources: the ICO has, very consciously, increased its workforce by 40% (from 505 to more than 700 people) and total expenditure was up from £27.5m to £43.3m. Our experience has been that the quality of initial ICO casework has been patchier over the past year, probably reflecting that rapid growth.
Although the Information Commissioner describes it as an “unprecedented year”, it is clear from the report that with the new data protection regime in place, the corresponding trajectory of increased regulatory activity is likely to continue.
If you require further information about anything covered in this briefing, please contact Sam Talbot Rice, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2019