Most GDPR enforcement actions by the UK’s Data Commissioner’s Workplace (ICO) have been in opposition to public sector organizations in 2024, an evaluation by URM Consulting has revealed.
A complete of 27 UK public sector entities confronted actions beneath the GDPR, in comparison with simply 4 non-public corporations. The actions took a spread of varieties, together with fines, reprimands and enforcement notices.
Simply three of those actions resulted in fines. That is doubtless as results of an ICO coverage introduced July 2022 that the info safety regulator will levy fewer monetary penalties and decrease sums in opposition to the general public sector, as such fines are prone to negatively impression public companies.
The three GDPR public sector fines issued by the ICO in 2024 all associated to unintentional knowledge leaks, exposing delicate private particulars of people. A few of these leaks have been discovered to have put victims’ lives in danger:
Stuart Skelly, Senior Guide at URM, mentioned: “The explanation for the ICO diverging from its regular method of avoiding fining public entities was most likely the egregious nature of the breaches in every case: the YMCA infringement concerned extremely delicate well being knowledge, and the MOD and PSNI breaches posed a real risk to individuals’s lives.”
Within the PSNI and MOD instances, the superb ranges have been considerably scaled again from what was initially introduced. Initially, a £5.6m superb was deliberate for PSNI and £1m for MOD).
The remainder of the general public sector GDPR enforcement actions have been made up of reprimands (18) or enforcement notices (11).
A reprimand is a proper warning issued by the ICO indicating non-compliance with knowledge safety legal guidelines, whereas an enforcement discover is a extra critical motion requiring a company to take particular steps to rectify a big knowledge safety violation.
In 2023, no enforcement notices have been issued to public sector organizations beneath GDPR by the ICO.
There was a complete of 62 cases of enforcement motion in opposition to 47 organizations by the info safety regulator final yr, with many of those coming beneath the Privateness and Digital Communications Rules (PECR).
ICO’s Fining Method Diverges from EU Counterparts
A complete of 18 fines have been issued by the ICO in 2024, with 15 of those for breaches of the PECR. The proportion of fines attributable to breaches of the UK GDPR rose in 2024 to 1 sixth of the whole.
The common ICO superb was £153,722 ($191,300) in 2024, which is considerably decrease than in 2023 at £816,471 ($1.01m.
Nonetheless, the researchers identified the 2023 determine was closely skewed by the £12.7m ($15.75m) penalty handed to TikTok.
In complete, the 18 fines in 2024 have been price £2.7m ($3.4m), the very best of which was the £750,000 MOD penalty.
The UK figures show a stark distinction in method to fines between the ICO and EU counterparts.
Legislation agency DLA Piper discovered that GDPR fines issued throughout the EU totaled €1.2bn ($1.26bn) in 2024. The Irish Knowledge Safety Fee (DPC) alone has issued a complete of €3.5bn ($3.7bn) in fines since Might 2018.
The URM researchers count on the ICO’s extra cautious method to monetary penalties to proceed into 2025 as a result of totally different philosophical method taken by the UK regulator in comparison with EU counterparts.
In November 2024, UK Data Commissioner John Edwards advised British newspaper The Instances that he didn’t imagine the levying of fines was an efficient means of maintaining huge tech corporations in line, serving solely to tie up the ICO in litigation.
