Our latest review of the GDPR enforcements undertaken by the ICO over the past 12 months reveals that data processing security and right of access are the most common infringements since July 2022.

Almost a third (30 per cent) of the 30 recorded infringements this year pertained to Article 5, the principles relating to data processing and of these 21 per cent were for Article 5 (f) which specifies that personal data must be processed in a manner that ensures appropriate security. Sixteen per cent contravened Article 15: Right of Access by the data subject and 15 per cent were non-compliant to Article 12 (data transparency) and Article 32 (security of processing).

Last year the lion’s share of enforcements (61 per cent) were found to be in breach of Article 4.11 which relates to consent. There were no 4.11 infringements from July 2022 to June 2023.

Of the 80 total enforcements made by the ICO during the period, 38 per cent of them were for GDPR contraventions, whilst 41 per cent were for failing to comply to PECR and 21 per cent were DPA infringements.  Of the 33 Privacy and Electronic Communications Regulation enforcements 27 related to Regulation 21: the use of unsolicited calls and five were for failing to comply with Regulation 22: the improper use of electronic mail. Regulation 21 enforcements resulted in £1.9m worth of fines being issued, whilst Regulation 22 contraventions amounted to £385,000 worth of fines.

The largest single fines between July 2022 and June 2023, however, were for GDPR infractions with Tik Tok being fined £12.7m for misuse of children’s data and Interserve being fined £4.4m for a breach that resulted in 113,000 employees’ data being accessed by third parties.

Comments Martin Rides, Manging Director, The Software Bureau :

“Over the last 12 months there has been a very marginal increase in the number of GDPR enforcements made (+7%). Whilst it is positive to see that the ICO is making enforcements, the fact that there have only been 30 in 12 months sends the tacit message that the likelihood of being fined is remote. However, what is interesting to note is the shift in infraction trends. Last year we saw a large number of the enforcements relating to consent, whilst this year the focus is on processing security. The onus is on organisations to ensure their data remains secure when it is being processed, which is why we have invested heavily in providing secure cloud-based processing solutions for our clients so they can be sure that they are fully compliant.”