On May 30, 2019, the UK Information Commissioner’s Office (“ICO”) published its reflections on the year that has passed since the implementation of the EU General Data Protection Regulation (“GDPR”), together with a blog post by Elizabeth Denham, the UK Information Commissioner.
The paper, “GDPR One Year On,” describes the public’s growing awareness of their rights under data protection law, and steps the ICO has taken to respond. Key highlights include:
- Data Protection Officers (“DPOs”) reported a significant increase in the number of individuals exercising their rights since May 2018.
- The number of data protection concerns raised with the ICO by the public almost doubled (from 21,000 to 41,000) between May 25, 2018, and May 1, 2019, when compared to the previous year. Approximately 38% of these complaints related to subject access requests. Traffic on the ICO’s helpline, live chat and written advice services increased by 66%.
- Approximately 14,000 breaches were reported between May 25, 2018, and May 1, 2019 (although only a small number of these incidents resulted in an improvement plan or monetary penalty being issued by the ICO). This was a significant increase from the 3,300 breaches reported in the previous year.
- Some 23% of cases reported to data protection regulators across the EU (including data protection complaints, data breaches, proactive investigations or other similar issues) were reported to the ICO, suggesting that organizations in the UK reported issues more proactively than in other EU Member States.
- In response, the ICO has expanded its workforce from 505 in 2018 to more than 700 in 2019. It expects to employ approximately 825 staff by 2020/21.
- The ICO’s increased activity and expanded workforce are funded by an annual data protection fee. An increase in the number of organizations that pay the fee, and a change to the funding model, has led to an 86% increase in fee income from 2017/18 to 2018/19. In addition, the ICO has been more proactive in following up on unpaid fees. In the year leading up to April 30, 2019, the ICO issued more than 3,800 notices of intent to fine for failure to pay the data protection fee. Penalties issued for non-payment totaled almost £100,000.
The ICO warned that it will take “robust action” in response to non-compliance with the GDPR. Elizabeth Denham noted that many of its investigations launched under the GDPR are nearing completion and that the results will be available “soon, demonstrating the actions (her) office is willing and able to take to protect the public.”
The paper also highlights the steps the ICO has taken to support organizations of all sizes to comply with the GDPR. In addition to publishing detailed guidance, the ICO is in the process of creating (or updating) four statutory codes of practice covering data sharing, direct marketing, age-appropriate design and data protection and journalism.
Looking ahead, Elizabeth Denham noted that for the second year of the GDPR, organizations’ focus must extend “beyond baseline compliance” toward “real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.” She added that well-supported and resourced DPOs are fundamental to ensuring such accountability.