ICO Enforcement Action January – June 2024

Stuart Skelly
|
Senior Consultant at URM
|
PUBLISHED on
18 Jul
2024

Since we have now passed the half year mark for 2024, we at URM have decided to conduct a mid-year review of enforcement action by the Information Commissioner’s Office (ICO).  In this blog, we will summarise and analyse the fines and other enforcements imposed by the ICO, in the first 6 months of this year, on organisations found to be in breach of data protection law, such as the General Data Protection Regulation (GDPR), and compare these enforcement activities to the actions taken by the regulator in the same period of 2023.

How Many Enforcement Actions has the ICO Delivered in 2024?

During the first half of 2024, the ICO recorded a total of 29 enforcement actions (fines, reprimands or enforcement notices) on its website, brought against 22 organisations - slightly down on the same period last year in which it took 33 actions against 28 parties (27 organisations and one individual).

ICO Enforcement Actions January - June 2024

Of the 22 organisations which incurred enforcement proceedings in 2024, 13 were public bodies and 9 were private companies.  This compares to 15 public authorities enforced against in the first half of 2023 and 13 private sector organisations – so, there was a slightly more even split between public and private entities last year, but with public bodies still forming the majority in both years.

ICO Enforcement Actions - Public vs Private Sector

One eye-catching feature of both years’ figures is that, of the 15 public bodies that received enforcement in 2023, 6 (or 40%) were either police forces or other law enforcement agencies.  In 2024, that figure had risen to 7 (54%) of the 13 public authority recipients of action being police or other law enforcement bodies.  It should be noted that the 2024 figure does not include the £750K Notice of Intention to Fine issued by the ICO in May against the Police Service of Northern Ireland for the very serious data security breach it committed last year.

ICO Enforcement Actions in Public Sector

Why Were the ICO’s Enforcement Actions Delivered?

Of the 9 monetary penalties imposed by the ICO in the first half of this year, the overriding majority (7) resulted from infringements of the Privacy and Electronic Communications Regulations (PECR) rules on telemarketing, rather than from infringements of the GDPR.  This very closely mirrors the position last year (when there were 8 fines levied in the first six months, including 7 for breaches of PECR).  Interestingly, the two non-PECR fines in 2024 were applied to a government department (the Ministry of Defence) and a charity (the Central YMCA), notable departures from the ICO’s usual policy of not fining public bodies.  

Also interesting, and probably relevant to the ICO’s decision to fine (and not just reprimand) the organisations, both fines related to data breaches which involved the unauthorised disclosure of highly sensitive information through the inadvertent inclusion of data subjects’ email addresses in the visible ‘CC’ field of multiple-recipient emails, rather than the ‘BCC’ one.  Presumably the ICO wanted to drive home the message regarding the disproportionate harm that can be caused by this simple, recurrent and easily controllable data security lapse.

At £350,000 (reduced from the £1m initially proposed), the MOD’s fine is by far the bigger of the two monetary penalties so far in 2024.  By contrast, last year’s biggest fine – the £12.7m sanction imposed on TikTok – was an anomaly because it was the third largest ever issued by the UK regulator.

The 20 enforcement actions so far in 2024 which were not fines comprised 10 reprimands (all with regard to public sector bodies); and 10 enforcement notices (of which 8 involved private sector organisations and 2 involved public authorities).  In respect of January to June 2023 on the other hand, the 25 non-monetary penalties consisted of 16 reprimands (14 of which were issued to public authorities); 8 enforcement notices (involving 6 private entities and 2 public bodies); and one prosecution of an individual, for illegally obtaining personal information contrary to Section 55 of the Data Protection Act 2018.

ICO Enforcement Actions - Non Fine Enforcements 2024

What Conclusions Can We Draw From the ICO’s 2024 Enforcement Actions?

There are some trends discernible which are consistent across the first half of 2024 and the same period in 2023:

  • Continuing low numbers of fines are being issued by the ICO, with these usually being incurred by private sector organisations for contraventions of PECR;
  • Police and other law enforcement bodies are overrepresented among public organisations which receive non-fine enforcement actions (mostly reprimands); and
  • The regulator favours reprimanding public sector organisations (and issuing enforcement notices to private sector ones), rather than issuing other forms of enforcement - however it is prepared to fine public bodies when the breaches committed, and damage suffered by the individuals affected, have been particularly grievous.

How URM can help?

For organisations of all sizes and across all sectors, maintaining GDPR compliance and avoiding the many consequences associated with being found to be in breach of data protection law is of vital importance, however navigating regulatory compliance without assistance can be tricky.  As such, your organisation may find substantial benefit in engaging a GDPR consultancy provider, such as URM.  With 19 years of experience supporting organisations’ compliance with DP legislation, you can be assured that any GDPR consultancy services you receive from URM are both informed by a long and successful track record, and grounded in a robust knowledge base of legislative and regulatory requirements.  A URM GDPR consultant can, for example, conduct a gap analysis to identify any areas where your organisation is not currently meeting compliance requirements, or help you build a comprehensive ROPA that not only meets statutory requirements, but also functions as an effective tool for identifying risk in your processing activities.  If you would like ongoing compliance support, our virtual data protection officer (DPO) service provides you with access to a team of qualified and highly experienced GDPR consultants, each with their own area of specialisation.  Our other DP consultancy services include assisting with data privacy impact assessments (DPIAs), and with data subject access request (DSAR) redactions.

Training courses

URM can also offer a range of data protection and GDPR training courses, all of which are led by an experienced data protection practitioner. By attending our 1-day ‘How to Manage DSARs’ training course, you will learn how to recognise a GDPR DSAR and respond to/fulfil these requests whilst maintaining regulatory compliance.  Meanwhile, attending our half-day training courses on ‘Conducting DPIAs’ and ‘Conducting Data Transfer Impact Assessments (DTIAs)’ will provide you with the knowledge and practical skills necessary to perform these vital compliance activities and ensure your organisation’s personal data processing is always aligned with GDPR requirements. Our BCS Foundation Certificate in Data Protection training course is aimed at providing you with a sound grounding and practical interpretation of the key elements of UK data protection law, including the UK GDPR and the UK Data Protection Act 2018.  The on-line, instructor-led course is delivered across 4 mornings, and, following successful completion of the BCS administered examination, you will receive an industry-recognised data protection qualification.

Stuart Skelly
Senior Consultant at URM
Stuart is a highly experienced and knowledgeable GRC consultant at URM who has specialised in data protection law for 25 years.
Read more

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
In-house Resource vs Virtual DPO

This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
31/10/2024
DUA Bill: An Initial Assessment

URM’s blog compares the Government’s new Data (Use and Access) Bill with the previous Government’s DPDI Bill, & how it may alter the UK GDPR when it is passed.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
22/7/2022
Data Protection and Management System Standards – Which is Best for Me?

Is there a catch-all international standard that effectively proves external verification of data protection compliance?

Read more
This was informative and contained just about enough what I needed at this point in time. Thanks.
Webinar 'Cyber Essentials Certification - What, Why and How'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.