Revealed: Data breaches which will get the ICO calling

UK firms have been warned that a breach of data processing security or the right of access are the most common issues that will set off alarm bells at the Information Commissioner’s Office on the back of a new analysis of enforcements since July 2022.

The study, carried out by The Software Bureau, shows almost a third (30%) of the recorded infringements this year pertained to Article 5, the principles relating to data processing and of these 21% were for Article 5 (f) which specifies that personal data must be processed in a manner that ensures appropriate security.

Meanwhile, 16% contravened Article 15: Right of Access by the data subject and 15% were non-compliant to Article 12 (data transparency) and Article 32 (security of processing).

Last year the lion’s share of enforcements (61%) were found to be in breach of Article 4.11 which relates to consent. There were no 4.11 infringements from July 2022 to June 2023.

Of the 80 total enforcements made by the ICO during the period, 38 were for GDPR contraventions, whilst 41% were for failing to comply to Privacy & Electronic Communications Regulations and 21% were Data Protection Act infringements.

Of the 33 PECR enforcements 27 related to Regulation 21: the use of unsolicited calls and five were for failing to comply with Regulation 22: the improper use of electronic mail. Regulation 21 enforcements resulted in £1.9m worth of fines being issued, whilst Regulation 22 contraventions amounted to £385,000 worth of fines.

However, the largest single fines between July 2022 and June 2023, were for GDPR infractions, with TikTok being fined £12.7m for misuse of children’s data and Interserve being fined £4.4m for a breach that resulted in 113,000 employees’ data being accessed by third parties.

Software Bureau managing director Martin Rides said: “Over the past 12 months there has been a very marginal increase in the number of GDPR enforcements made (+7%). Whilst it is positive to see that the ICO is making enforcements, the fact that there have only been 30 in 12 months sends the tacit message that the likelihood of being fined is remote.

“However, what is interesting to note is the shift in infraction trends. Last year we saw a large number of the enforcements relating to consent, whilst this year the focus is on processing security.

“The onus is on organisations to ensure their data remains secure when it is being processed, which is why we have invested heavily in providing secure cloud-based processing solutions for our clients so they can be sure that they are fully compliant.”