Anyone still wondering why the Information Commissioner Elizabeth Denham went cap in hand to the Treasury to plead for more cash for her office need look no further: in the past year alone, data protection complaints doubled to 41,661; personal data breach cases rose 318% to 13,840; and the number of people contacting the ICO soared 66% to 471,224.
The figures – which also show complaints about electronic marketing (PECR) increased 26% to 138,368 and Freedom of Information gripes rose 12.5% to 6,418 – have been revealed in the first ICO annual report to cover a whole year of GDPR enforcement.
In what Denham brands an “unprecedented year”, she said that “there has been far greater awareness of data protection law, in particular the data rights of individuals, and greater awareness of the role of the regulator when these rights aren’t being respected”.
“The ICO has covered an enormous amount of ground over the past year – from the introduction of a new data protection law, to our calls to change the freedom of information law, from record-setting fines to a record number of people raising data protection concerns.
“The biggest moment of the year was the GDPR coming into force. This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected. The doubling of concerns raised with our office reflects that.”
Denham insisted that GDPR has also brought in a “step change” in how organisations approach data protection. “It increased the onus on organisations to take a proactive approach to data protection, identifying what risks they were creating through their use of data, and working to reduce and mitigate those risks. The greater enforcement powers granted to regulators helped to establish compliance as a board-level issue.”
She added: “Throughout the year, the ICO’s experienced and expert team worked incredibly hard to provide the support we knew organisations needed.”
However, this has come at a cost. Average staff numbers have risen by a third – from 480 to 638 year-on-year – in line with its increased GDPR powers. The ICO now has 722 permanent staff, which pushed the regulator’s annual running costs up by 58%, from £27m to £43m.
Meanwhile, Denham herself secured a 29% pay rise last year from £140,000 to £180,000 – an increase of more than ten times inflation. The rise makes her one of the few public officials paid more than the Prime Minister, who receives just over £152,000.
In terms of enforcement, the report shows that the ICO issued a record breaking number of 22 monetary penalties totalling more than £3m, including maximum £500,000 fines for Facebook and Equifax, while Uber was hit for £385,000, the Crown Prosecution Service got a £325,000 penalty, and Yahoo! UK Services was forced to cough up £250,000.
The £3m has, of course, been dwarfed by this week’s proposed fines against British Airways and Marriott International, which, if they go through, will rake in over £282m for the Treasury Consolidated Fund.
Even so, the ICO admits it is concerned about the huge costs of potential litigation to defend its decisions.
The annual report warned: “A risk to ensuring the ICO has adequate resources is the increased risk of contentious, complex and lengthy legal proceedings which has already started with the Facebook appeal and is likely to continue with the size of the fines that can be assessed under GDPR and the Data Protection Act 2018.
“We are currently exploring options to mitigate this risk. These options include ring-fencing fine income specifically to fund litigation costs, additional grant in aid, deficit budgeting, use of reserves, or seeking awards of costs through court proceedings. A key piece of work for 2019-20 will be to identify the way forward in this area.”
Now Marriott takes a £99m battering for GDPR failings
Gnashing watchdog to fuel rise in breach over-reporting
ICO shows ‘staggering’ lack of judgement over BA case
BA faces record £183m GDPR fine for data meltdown
Facebook bids to overturn £500,000 data abuse fine
Facebook finally hit with maximum £500,000 data fine
Equifax first to be hit with maximum £500k data fine
Uber fined £900,000 over ‘complete disregard’ for data
ICO’s ‘measured’ Yahoo! fine risks ‘soft touch’ protests
Banged to rights: CPS guilty of losing child abuse data