As we stated in our review of 2022’s fines by the data protection (DP) regulator, when looking to comply with the UK General Data Protection Regulation (UK GDPR), it is always a worthwhile exercise to understand which areas organisations are falling foul of in terms of compliance. As such, URM has carried out another review and analysis – this time, of the fines imposed in 2023 by the Information Commissioner’s Office (ICO), as well as looking to see if there were any discernible differences from 2022.
Number of Fines and Sector Focus
In 2023, the ICO imposed a total of 17 monetary penalties, half the number it handed down in 2022.
One immediate ‘headline’ to note is that none of the 17 organisations fined during 2023 operates in the public sector (the £350,000 fine announced against the Ministry of Defence on 13 December 2023 has not yet been entered onto the ICO’s ‘Enforcement Action’ website page). This is confirmation of the ongoing approach by the ICO, announced in the summer of 2022, to only impose financial penalties on public sector bodies in extreme cases, and instead issue reprimands when delivering enforcement action for less serious breaches (see further on this below).
Reasons for Fines Being Imposed
Let’s look at the reasons why fines were imposed by the ICO in 2023. The following graph summarises what breaches occurred for the fine to be imposed.
This shows that, as in 2022, the vast majority of the ICO’s fines was directed not at infringements of the UK GDPR, but at breaches of the Privacy and Electronic Communications Regulations (‘PECR’). In fact, over one year the disparity has grown even more marked. In terms of comparison with 2022, of the 34 fines imposed, 29 then related to PECR infringements and 5 related to GDPR infringements.
As such, the proportion of GDPR breaches fined, as a percentage of the total number of contraventions of all kinds (i.e. including PECR infringements) penalised, rather than rising over this period – as it had done between 2021 and 2022 – has sharply fallen to under 6% (one in seventeen) from nearly 15% in 2022. This is also explained by the shift in the ICO’s stance on fining public authorities. Of the 30 GDPR cases in total in which it took enforcement action in 2023, as noted above only 1 resulted in a fine being imposed – the rest were all punished by issuing reprimands. Of these 29 reprimands, however, not all were issued to public bodies (20) – meaning that, despite the Information Commissioner’s rationale for not fining authorities (that such penalties have limited deterrent effect because it is ultimately the taxpayer who pays them), 9 recipients of reprimands were in fact private companies. URM will keep an eye on this apparent new trend for reprimanding, rather than fining, private sector organisations as well as public ones to see if it continues in 2024.
*The £350,000 fine announced against the Ministry of Defence on 13 December 2023 has not yet been entered onto the ICO’s ‘Enforcement Action’ website page)
Nature of 2023 GDPR-related Enforcement - Brexit Finally Takes Effect
As stated in the table above, the one GDPR fine in 2023 was imposed for breach of the post-Brexit ‘UK GDPR’ only. But of the 29 reprimands, 3 involved unlawful processing which predated Brexit, hence these reprimands were imposed under the pre-Brexit GDPR, not the UK GDPR. As we mentioned in last year’s fines review, as time passes, the proportion of cases the regulator investigates which involve pre-Brexit processing will inevitably decline. As such, the latest of the three 2023 reprimands, dated 10 March, may very well be the last ICO enforcement action which relates solely to processing under the old GDPR, but we will check this point during 2024. The UK GDPR is, currently, nearly identical to the original GDPR (now known in the UK as the ‘EU GDPR’), though this will change with the passing of the Data Protection and Digital Information Act (predicted to occur in the summer of 2024).
The Cost of a Breach
The 17 fines imposed by the ICO in 2023 ranged from £30,000 to over 10 million pounds. They divided evenly between those for under £100K and those over (9 and 8 respectively). In total, these 17 fines brought in over £13m to the Treasury. The average fine in 2023 was £816,471, nearly double what it was in 2022, though this figure was skewed by the enormous fine received by the global video-sharing platform, TikTok (see below).
GDPR Breach Receives Biggest Fine
The £1.18m in fines for infringements of the PECR rules was dwarfed by the largest fine levied by the ICO in the year – the £12.7m penalty handed out to TikTok Information Technologies UK Ltd and its American parent company, TikTok Inc. in May 2023 for its breaches of multiple articles of the GDPR and UK GDPR, including those relating to the lawful use of the personal data of children.
Cookies and the Future
Many of you will have heard that in November 2023 the Information Commissioner wrote to organisations operating some of the UK’s most visited websites regarding their use of cookies, expressing concern that these companies were not following the ICO’s guidance on website design and are not providing users with adequate choice as to whether their activities are tracked for personalised marketing. The ICO’s crackdown on cookies came too late to be reflected in 2023 fines but we will be tracking how the regulator’s heightened vigilance on this matter develops and whether there is any uptick in the number of fines for breaches of the relevant parts of the PECR during the coming year.
URM will of course be monitoring all the other future ICO fines and reprimands too – let’s see what 2024 brings!
How URM can Help
For any organisation hoping to avoid ICO enforcement action, maintaining GDPR compliance is of the upmost importance. With 17 years of experience in helping organisations achieve and remain compliant with DP legislation, URM is ideally placed to provide GDPR consultancy services which can help your organisation do the same. Our highly qualified and experienced GDPR consultants can offer a range of services to help your organisation comply with the Regulation. We can conduct a gap analysis of your current processing practices and provide remediation support, as well as offering more specific services such as help with data privacy impact assessments or, if you receive data subject access requests (DSARs), a GDPR DSAR redaction service. We can also help you produce a record of processing activities (ROPA), and offer a virtual data protection officer (DPO) service, which allows you to access an entire team of DP practitioners, each with their own specialised area of GDPR consultancy.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
BS 10012 is a standard which has been developed to enable organisations to implement a personal information management system (PIMS).
URM’s blog explores the first formal European response to the DPDI Bill, and how the Bill may jeopardise the UK’s adequacy status when it reforms the UK GDPR.
URM answers key questions around data transfer impact assessments (DTIAs), providing detailed guidance on the best practice approach to conducting them.