We recently undertook a review of the GDPR enforcements by the ICO over the past 12 months, which revealed that lack of consent, failure to comply with control responsibilities and data security are the three most common infringements since July 2021.

Sixty-one per cent of the 28 enforcements were found to be in breach of Article 4.11 which states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

Article 4.7 and 5.1f were both breached by 14 per cent of the organisations who were found to either contravene their data controller responsibilities such as providing subject access or failing to keep their data secure. The Cabinet Office for instance was fined for accidentally published a CSV file containing the personal data of the New Year’s Honours List.

Seven per cent of the organisations were in breach of Article 3 which relates to the territorial scope of data and four per cent fell foul of Article 8.2 which concerns parental consent for the processing of data pertaining to children.

No other enforcements were made under GDPR regulations.

Of the findings our managing director, Martin Rides said:

“Whilst it is positive to see that the ICO is making enforcements, the fact that there have only been 28 in 12 months sends the tacit message that the likelihood of being fined is remote. Add to this that there are zero enforcements relating to data accuracy means that one of the key reasons that GDPR was established – giving consumers the power to control their marketing communication – is being ignored. Ensuring that customer data is kept clean and up to date is critical, not just for customer experience, but ROI too.”