Think again if you don’t believe data protection matters because the ICO will do nothing

Share This Post

I’ve heard a few times recently a general nonchalant approach to data protection compliance and a feeling that the ICO’s only after the “big boys”. After all if the mainstream media is the only guide you have to what the ICO is up to, then fair enough, they’re only interested in reporting the big fines and the household names (for example BA and Marriott – which incidentally neither have translated into any actual action so far (and the original intentions to fine were in the summer of 2019!)). Granted the ICO have only fined one company under GDPR, but they have actioned quite a few under old Data Protection (which occurs when a breach occurred before May 2018, when GDPR came into force, for example the recent case against Cathay Pacific (which is from March and still the headline enforcement action on their “Action we’ve taken” page)).

On the face of it – I get it. Difficult to see why you should worry about data protection when there seems to be little ICO action to indicate you might be at risk. But what if they’re busy, you just don’t know about it? This is one of the key takeaways you should take from the ICO’s 2019/20 Annual Report. Covering the 12 months to 31st March 2020 the report includes details of their main achievements (publication of the Age Appropriate Design code, launch of their regulatory sandbox, etc.), but it also includes some of the stats around just how busy they have been on the enforcement workload side:

  • 38,514 complaints with 60% resulting in an infringement
  • 395,197 calls to the ICO helpline, 54,052 via live chat, 22,050 written responses
  • 11,854 personal data breaches reported, although 95% of them not resulting in action; most breaches (20%) of them were in the health sector, 17% in general business and 14% in education
  • 127940 reports were received relating to issues regarding PECR (Privacy Electronic Communications Regulations – the law regarding direct marketing and using cookies) including 2544 complaints about cookies

And that’s not all. If you look at the Enforcement section of the ICO’s website, you’ll see just what they’ve been actioning, in 2020 alone so far (as of 24th August 2020), they:

  • Fined DSG Retail £500,000 for security failings
  • Prosecuted a former social worker who passed personal data of service users to a third-party
  • Fined CRDNN £500,000 for making more than 193m automated nuisance calls
  • Fined Cathay Pacific £500,000 for failings in its IT systems (server security, server patching, lack of access controls)
  • Prosecuted a Town Clerk for blocking a Freedom of Information request
  • Fined Black Lion Marketing £171,000 for unsolicited direct marketing calls
  • Fined Decision Technologies £90,000 for email marketing breaches caused by third-parties they’d used to send emails
  • Fined Rain Trading £80,000 for unsolicited marketing calls
  • Fined Koypo Laboratories £100,000 for unsolicited marketing emails

So, just because it’s not reported in the mainstream media, doesn’t mean the ICO aren’t dealing with compliance. And what if someone complained about your organisation’s data handling? Do you have all the right answers for the ICO – they could ask for your register of data processing activities, or want to speak to you about an alleged infringement, and in some cases they may even ask you to participate in a consensual audit.

If you’re happy to take the risk of dealing with an issue if/when it happens then fine. If you’re not so happy to take the risk, then let’s talk about how we can help you to put all the necessary measures in place to minimise that risk.

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy