ICO Enforcement Action January – June 2024

ICO Enforcement Action January – June 2024

Since we have now passed the half year mark for 2024, we at URM have decided to conduct a mid-year review of enforcement action by the Information Commissioner’s Office (ICO). ?In this blog, we will summarise and analyse the fines and other enforcements imposed by the ICO, in the first 6 months of this year, on organisations found to be in breach of data protection law, such as the General Data Protection Regulation (GDPR), and compare these enforcement activities to the actions taken by the regulator in the same period of 2023 .

How Many Enforcement Actions has the ICO Delivered in 2024?

During the first half of 2024, the ICO recorded a total of 29 enforcement actions (fines, reprimands or enforcement notices) on its website, brought against 22 organisations - slightly down on the same period last year in which it took 33 actions against 28 parties (27 organisations and one individual).


Of the 22 organisations which incurred enforcement proceedings in 2024, 13 were public bodies and 9 were private companies. ?This compares to 15 public authorities enforced against in the first half of 2023 and 13 private sector organisations – so, there was a slightly more even split between public and private entities last year, but with public bodies still forming the majority in both years.


One eye-catching feature of both years’ figures is that, of the 15 public bodies that received enforcement in 2023, 6 (or 40%) were either police forces or other law enforcement agencies. ?In 2024, that figure had risen to 7 (54%) of the 13 public authority recipients of action being police or other law enforcement bodies. ?It should be noted that the 2024 figure does not include the £750K Notice of Intention to Fine issued by the ICO in May against the Police Service of Northern Ireland for the very serious data security breach it committed last year.


Why Were the ICO’s Enforcement Actions Delivered?

Of the 9 monetary penalties imposed by the ICO in the first half of this year, the overriding majority (7) resulted from infringements of the Privacy and Electronic Communications Regulations (PECR) rules on telemarketing, rather than from infringements of the GDPR. ?This very closely mirrors the position last year (when there were 8 fines levied in the first six months, including 7 for breaches of PECR). ?Interestingly, the two non-PECR fines in 2024 were applied to a government department (the Ministry of Defence) and a charity (the Central YMCA), notable departures from the ICO’s usual policy of not fining public bodies. ?

Also interesting, and probably relevant to the ICO’s decision to fine (and not just reprimand) the organisations, both fines related to data breaches which involved the unauthorised disclosure of highly sensitive information through the inadvertent inclusion of data subjects’ email addresses in the visible ‘CC’ field of multiple-recipient emails, rather than the ‘BCC’ one. ?Presumably the ICO wanted to drive home the message regarding the disproportionate harm that can be caused by this simple, recurrent and easily controllable data security lapse.

At £350,000 (reduced from the £1m initially proposed), the MOD’s fine is by far the bigger of the two monetary penalties so far in 2024. ?By contrast, last year’s biggest fine – the £12.7m sanction imposed on TikTok – was an anomaly because it was the third largest ever issued by the UK regulator.

The 20 enforcement actions so far in 2024 which were not fines comprised 10 reprimands (all with regard to public sector bodies); and 10 enforcement notices (of which 8 involved private sector organisations and 2 involved public authorities). ?In respect of January to June 2023 on the other hand, the 25 non-monetary penalties consisted of 16 reprimands (14 of which were issued to public authorities); 8 enforcement notices (involving 6 private entities and 2 public bodies); and one prosecution of an individual, for illegally obtaining personal information contrary to Section 55 of the Data Protection Act 2018.


SPECIAL OFFER

FREE GDPR Compliance Review

High-level review of your GDPR compliance position.

Contact us before

30/8/2024

Register your interest

SPECIAL OFFER

What Conclusions Can We Draw From the ICO’s 2024 Enforcement Actions?

There are some trends discernible which are consistent across the first half of 2024 and the same period in 2023:

  • Continuing low numbers of fines are being issued by the ICO, with these usually being incurred by private sector organisations for contraventions of PECR;
  • Police and other law enforcement bodies are overrepresented among public organisations which receive non-fine enforcement actions (mostly reprimands); and
  • The regulator favours reprimanding public sector organisations (and issuing enforcement notices to private sector ones), rather than issuing other forms of enforcement - however it is prepared to fine public bodies when the breaches committed, and damage suffered by the individuals affected, have been particularly grievous.

How URM can help?

For organisations of all sizes and across all sectors, maintaining GDPR compliance and avoiding the many consequences associated with being found to be in breach of data protection law is of vital importance, however navigating regulatory compliance without assistance can be tricky. ?As such, your organisation may find substantial benefit in engaging a GDPR consultancy provider, such as URM. ?With 19 years of experience supporting organisations’ compliance with DP legislation, you can be assured that any GDPR consultancy services you receive from URM are both informed by a long and successful track record, and grounded in a robust knowledge base of legislative and regulatory requirements. ?A URM GDPR consultant can, for example, conduct a gap analysis to identify any areas where your organisation is not currently meeting compliance requirements, or help you build a comprehensive ROPA that not only meets statutory requirements, but also functions as an effective tool for identifying risk in your processing activities. ?If you would like ongoing compliance support, our virtual data protection officer (DPO) service provides you with access to a team of qualified and highly experienced GDPR consultants , each with their own area of specialisation. ?Our other DP consultancy services include assisting with data privacy impact assessments (DPIAs), and with data subject access request (DSAR) redactions.

Training courses

URM can also offer a range of data protection and GDPR training courses, all of which are led by an experienced data protection practitioner. By attending our 1-day ‘How to Manage DSARs ’ training course, you will learn how to recognise a GDPR DSAR and respond to/fulfil these requests whilst maintaining regulatory compliance. ?Meanwhile, attending our half-day training courses on ‘Conducting DPIAs ’ and ‘Conducting Data Transfer Impact Assessments (DTIAs) ’ will provide you with the knowledge and practical skills necessary to perform these vital compliance activities and ensure your organisation’s personal data processing is always aligned with GDPR requirements. Our BCS Foundation Certificate in Data Protection training course is aimed at providing you with a sound grounding and practical interpretation of the key elements of UK data protection law, including the UK GDPR and the UK Data Protection Act 2018. ?The on-line, instructor-led course is delivered across 4 mornings, and, following successful completion of the BCS administered examination, you will receive an industry-recognised data protection qualification.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了