The Information Commissioner’s Office enforcement team is facing further scrutiny following the release of new figures which show that, over the past year, the regulator has issued fines in just 0.25% of the cases it has investigated, equivalent to only one fine for every 395 inquiries.
According to a Freedom of Information request made by Digi.me, 11,468 data breach cases were closed in the past year, but only 29 have resulted in fines for breaches of the Privacy & Electronic Communications Regulations (PECR) and the Data Protection Act 1998. There have also been 13 enforcement notices handed out.
The ICO has yet to issue a single fine under GDPR. Across the EU there have been a total of €56m in fines for 91 companies, although €50m of that was against Google.
Digi.me founder Julian Ranger said: “There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.
“Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”
A separate FOI request made by Decision Marketing revealed the full scale of the ICO’s task after the regulator admitted it has over 10,000 active cases – and counting – of potential breaches of data protection laws.
ESET cyber security specialist Jake Moore said: “With data breaches being at an all-time high, organisations need an extra push to get their ducks in a row. The lack of monetary penalties is only going to discourage those companies that are making all the internal changes required to comply with GDPR laws, while others are having their cake and eating it too. The appropriate level of enforcement is required to make the needle move; therefore the ICO must practice what it preaches.”
ICO reveals it has 10,000 data breach cases to probe
‘GDPR experts’ in the dock over dubious legal advice
Have companies done enough to comply with GDPR?
IAB in dock over sector’s ‘systemic’ breaches of GDPR
Irish confirm seven GDPR probes as Facebook turns 15
Google hit for €50m as French issue first GDPR fine
Let battle commence: first GDPR complaints are filed
EU chief predicts first GDPR rulings before year-end
Data breach complaints soar by 160% in three months
ICO makes senior hires as it staffs up for GDPR assault