Under the UK GDPR the Information Commissioner's Office (ICO),responsible for enforcing the UK GDPR, has the power to serve formal "reprimands", as well as fines and other enforcement notices, where organisations contravene the law.
In December last year a Freedom of Information Act (FOIA) request by Mishcon de Reya to the ICO revealed that a number of such reprimands had indeed been issued, including to some very large organisations, but that the ICO had not publicised them. This seemed contrary to the ICO's own policy [PDF] that its default position was to publish all formal regulatory work.
A further FOI request by the firm, for updated information, has revealed that in the interim period the ICO has issued several more reprimands, and recipients include the Government Communication Service (part of the Cabinet Office), UKIP and the CPS, as well as a number of police forces and other public bodies. Although the ICO has not provided details of the specific contraventions, its own Regulatory Action Policy [PDF] suggests that it will reserve its more significant powers (such as reprimands) for organisations "suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data".
Also of note is that ICO has withheld the identity of one of the recipients, on the grounds that the information relates to a body dealing with national security and intelligence or serious organised crime.
The ICO has also confirmed to the firm that in the future, when it publishes its online datasets of casework outcomes, these will include reprimands.
This article was edited on 17 June 2022 to reflect a change requested by the ICO, who had originally wrongly identified the Government Digital Service, instead of the Government Communication Service, as a recipient of a reprimand.