The ICO, pragmatic enforcement and the GDPR | DMA

Filter By

Show All

Connect to


The ICO, pragmatic enforcement and the GDPR


Research conducted by Quocirca showed that the Information Commissioner’s Office (ICO) has, on average, been fining 17% of the maximum penalty available over the last two years.

The average fine was £80,000.

Of the 87 fines, 48 were PECR related (average £95K). A further 13 were to charities for misuse of data (average £14K). Eight were for some sort of data processing issue (average £68K) and 18 for data leaks (average £114K).

Of course, under GDPR, the maximum fine that the ICO could issue is much higher than currently: The maximum penalty under GDPR is €20 million, or 4% global turnover, whichever is higher.

However, just because the ICO can issue such large fines that does not mean it will want to use them.

Over the last two years the organisation have only issued 17% of the maximum, dishing out a total of 87 fines.

However, while this may seem low, applying the same logic to GDPR level fines of £20 million could mean average fines of up to £2,800,000. This is dramatically higher than any fine issued before by the ICO and eye-watering for any organisation on receiving end of such a high fine.

Although the regulator mostly prioritises cases based on the complaints it receives and by doing so resources are used to address areas where the most harm is caused for consumers, some recent fines have resulted from one single complaint.

One of the ICO’s core objectives is to protect consumers from their data being misused.

When dealing with businesses the ICO often places an emphasis on education and where it can, will help a company to change its practices - rather than instantly going into “big stick” mode.

The regulator is least effective when it becomes fining factory, dealing out fines but without constructively helping organisations to change.

The DMA hopes that the ICO will maintain its current proportionate and pragmatic approach but this does not at all take away from the massive change coming with the GDPR. The fines are such that even if applied at a low level, they would be far higher than any fine issued to date.

Hear more from the DMA

Please login to comment.