- The 45+ best early Amazon Presidents' Day tech deals live right now
- Nvidia's Shield TV finally gets an update - and some users see 'unbelievable' performance gains
- AT&T's new 'free iPhone' deal is surprisingly easy to qualify for. Here's how it works
- How popular is Windows 11? Statcounter can't tell you - here's why
- AI lifts workforces to new heights of efficiency and innovation
Most UK GDPR Enforcement Actions Targeted Public Sector in 2024
Most GDPR enforcement actions by the UK’s Information Commissioner’s Office (ICO) were against public sector organizations in 2024, an analysis by URM Consulting has revealed.
A total of 27 UK public sector entities faced actions under the GDPR, compared to just four private companies. The actions took a range of forms, including fines, reprimands and enforcement notices.
Just three of these actions resulted in fines. This is likely as result of an ICO policy announced July 2022 that the data protection regulator will levy fewer financial penalties and lower sums against the public sector, as such fines are likely to negatively impact public services.
The three GDPR public sector fines issued by the ICO in 2024 all related to accidental data leaks, exposing sensitive personal details of individuals. Some of these leaks were found to have put victims’ lives at risk:
Stuart Skelly, Senior Consultant at URM, said: “The reason for the ICO diverging from its normal approach of avoiding fining public entities was probably the egregious nature of the breaches in each case: the YMCA infringement involved highly sensitive health data, and the MOD and PSNI breaches posed a genuine threat to people’s lives.”
In the PSNI and MOD cases, the fine levels were significantly scaled back from what was initially announced. Originally, a £5.6m fine was planned for PSNI and £1m for MOD).
The rest of the public sector GDPR enforcement actions were made up of reprimands (18) or enforcement notices (11).
A reprimand is a formal warning issued by the ICO indicating non-compliance with data protection laws, while an enforcement notice is a more serious action requiring an organization to take specific steps to rectify a significant data protection violation.
In 2023, no enforcement notices were issued to public sector organizations under GDPR by the ICO.
There was a total of 62 instances of enforcement action against 47 organizations by the data protection regulator last year, with many of these coming under the Privacy and Electronic Communications Regulations (PECR).
ICO’s Fining Approach Diverges from EU Counterparts
A total of 18 fines were issued by the ICO in 2024, with 15 of these for breaches of the PECR. The proportion of fines attributable to breaches of the UK GDPR rose in 2024 to one sixth of the total.
The average ICO fine was £153,722 ($191,300) in 2024, which is significantly lower than in 2023 at £816,471 ($1.01m.
However, the researchers pointed out the 2023 figure was heavily skewed by the £12.7m ($15.75m) penalty handed to TikTok.
In total, the 18 fines in 2024 were worth £2.7m ($3.4m), the highest of which was the £750,000 MOD penalty.
The UK figures demonstrate a stark difference in approach to fines between the ICO and EU counterparts.
Law firm DLA Piper found that GDPR fines issued across the EU totaled €1.2bn ($1.26bn) in 2024. The Irish Data Protection Commission (DPC) alone has issued a total of €3.5bn ($3.7bn) in fines since May 2018.
The URM researchers expect the ICO’s more cautious approach to financial penalties to continue into 2025 due to the different philosophical approach taken by the UK regulator compared to EU counterparts.
In November 2024, UK Information Commissioner John Edwards told British newspaper The Times that he didn’t believe the levying of fines was an effective way of keeping big tech firms in line, serving only to tie up the ICO in litigation.
