An FOI request by Mishcon de Reya reveals that the ICO have issued no "notices of intent" to serve GDPR fines, nearly ten months on from it coming into effect.
In the lead up to the General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, one of the biggest concerns for organisations was huge administrative fines for infringements. Although the Information Commissioner's Office (ICO) had had the power to issue penalties under the previous data protection laws, the level of potential fines under GDPR certainly concentrated the mind – the maximum is now set at €20m or 4% of global annual turnover - whichever is higher.
The media commentary focused on these fining powers, and, although the ICO stressed, back in August 2017, that "it’s scaremongering to suggest that we’ll be making early examples…", many have been wondering when the first GDPR fine in the UK will emerge. However, making use of the freedom of information law, Mishcon de Reya has established that the ICO has not served a single notice of intent to serve a fine, almost a year on from GDPR's commencement.
Under schedule 16 to the Data Protection Act 2018, which also came into effect on 25 May 2018, the ICO must – if it wishes to serve a fine for a GDPR infringement - give a written "notice of intent" which allows the recipient to make representations. Without a notice of intent (and a period afterwards to consider those representations), no fine can be issued. So that first example may still be a long way off.
An ICO representative told the firm: "Our work is not just about fines, but we will take our strongest action against those that wilfully, negligently or consistently flout the law.” They also pointed out that the ICO has other enforcement action open to it, such as warning letters and reprimands, enforcement notices and assessment notices, and that it is pursuing ongoing investigations including into BA, Marriott and Ticketmaster.
It is also worth noting that the ICO has (as was anticipated) seen a large increase in the volume of breaches, incidents and complaints reported to it since May last year. Perhaps it's not that surprising that it is not rushing in this regard. But fines are a big weapon in its armoury, and the ICO's equivalents in eleven other countries have already issued fines, including the CNIL, in France, which recently served Google with one of €50m.