Chances of being fined for GDPR breach 'remote at best'

UK GDPR might be up for review in the Data Reform Bill but even under the current regime the chances of rogue firms being punished are at best slim; at worst non-existent.

So says a new analysis of GDPR enforcements by The Software Bureau undertaken by the ICO over the past 12 months, which reveals that there have been 28 rulings but only five fines.

In fact the ICO has only issued a total of nine monetary penalties since GDPR came in force in May 2018, a move which The Software Bureau claims “sends the tacit message that the likelihood of being fined is remote”.

Of those businesses which have been fingered, a lack of consent, failure to comply with control responsibilities and data security are the three most common infringements since July 2021.

Over three-fifths (61%) of the 28 enforcements were found to be in breach of Article 4.11 which states: ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Just under one on six (14%) enforcements were for Article 4.7 and 5.1.f. with organisations found to either contravene their data controller responsibilities, such as providing subject access, or failing to keep their data secure.

The Cabinet Office, for instance, was fined for accidentally publishing a CSV file containing the personal data of the New Year’s Honours List.

Some 7% of the organisations were in breach of Article 3, which relates to the territorial scope of data and 4% fell foul of Article 8.2 which concerns parental consent for the processing of data pertaining to children.

No other enforcements have been made under GDPR.

A separate analysis was published in December last year following a Freedom of Information request filed by Mishcon de Reya senior data protection specialist Jon Baines. It revealed that 42 organisations have been given reprimands rather than enforcement notices since GDPR came into force, including high profile brands EasyJet, TSB, Asda, Morrisons, Zoom and Bupa.

Software Bureau managing director Martin Rides said: “Whilst it is positive to see that the ICO is making enforcements, the fact that there have only been 28 in 12 months sends the tacit message that the likelihood of being fined is remote.

“Add to this that there are zero enforcements relating to data accuracy means that one of the key reasons that GDPR was established – giving consumers the power to control their marketing communication – is being ignored.

“Ensuring that customer data is kept clean and up to date is critical, not just for customer experience, but ROI too.”