ICO set to expand ‘less is best’ regime to fuel UK growth

The UK Government’s drive for growth is likely to blow the threat of blockbuster fines for data protection breaches out of the water, except for the most heinous cases, signalling an expansion of the regulator’s “less is best” approach to enforcement.

That is according to the latest GDPR Fines & Data Breach Report from legal firm DLA Piper, which reveals the Information Commissioner’s Office has only issued three fines under UK GDPR over the past 12 months – a £750,000 penalty to the Police Service of Northern Ireland, a £350,000 fine to the Ministry of Defence and a £7,500 penalty to the Central YMCA for exposing personally identifiable details of people who have HIV via email.

Across the EU, meanwhile, there were GDPR fines totalling €1.2bn (£996m) issued during 2024.

However, the ICO has ploughed ahead with its enforcement of the Privacy & Electronic Communications Regulations (PECR), issuing 16 fines, totalling £1,667,500.

But unlike his predecessor, Elizabeth Denham, Commissioner John Edwards has already stated large fines do not work.

Late last year, Edwards told The Times: “I don’t believe that the quantum or volume of fines is a proxy for impact. I actually don’t believe that approach is necessarily the one that has the greatest impact.”

He went on to argue that issuing large fines would only tie up his office in litigation for years and that he preferred engaging with industry to ensure compliance; the ICO recently ran a public consultation on the further development of the reprimand policy.

The regime was first introduced on a trial basis in 2022 to replace the emphasis on stiff fines in an effort to work proactively with senior leaders to encourage data protection compliance, prevent harms before they occur and learn lessons when things have gone wrong.

During the trial, around 60 reprimands were issued, according to the ICO website. Edwards said this produced noticeable results, with organisations subsequently making significant changes.

While the ICO retains the right to impose fines for data protection failings, since 2022 these have totalled £1.2m, compared to a possible £23.2m under the previous regime.

Even so, the real driving force behind the change of approach is the Government’s growth agenda, with many industry observers pointing to the new, more business-friendly approach of the Data (Use & Access) Bill.

Chancellor Rachel Reeves has said that she wants to reduce the regulatory burden on British businesses stating that “the UK has been regulating for risk, but not regulating for growth”, while Prime Minister Sir Keir Starmer has also recently stated the Government’s position in relation to AI regulation saying that the UK will “go our own way” and will “test and understand AI before we regulate it to make sure that when we do it, it’s proportionate and grounded”.

The DLA Piper report concluded: “With the UK Government firmly focused on growth and the UK economy stubbornly sluggish, there is little appetite for active enforcement of existing laws.

“While we therefore predict a quiet year with respect to enforcement of the UK GDPR, we anticipate that there will be more active enforcement of other cybersecurity laws and regulations during 2025, notably the NIS Regulations 2018, given the continuing threat and prevalence of cyber-attacks.”

Related stories
Charities eye £290m boost after Data Bill amendment
Big issues to tackle in 2025: What’s the cost of privacy?
PPA relief as data reforms axe online cookies crackdown
DMA throws weight behind new Data (Use & Access) Bill
Govt resurrects data reforms but industry awaits detail
Govt lines up new Bills for cyber security and smart data
Industry vows to work with Labour to boost UK economy

Be the first to comment on "ICO set to expand ‘less is best’ regime to fuel UK growth"

Leave a comment