GDPR one year on

12 June 2019


The Information Commissioners’ Office (ICO) has published a report ‘GDPR one year on’ which provides an overview of the ICO’s experience in the first year of the General Data Protection Regulation (GDPR), and shares information and insights that will be further explored in its Annual Report later this year.


The update describes some of the work undertaken to deliver the six goals set out in the ICO’s Information Rights Strategic Plan. This includes supporting the public to use their new rights, working with organisations to provide support and guidance and using new enforcement and investigation powers. The report also covers how the ICO is working to stay relevant and foster innovation and ensuring it is a well-resourced, influential regulator on the national and international stage.


Some of the key points from the report include:



The ICO recognise it hasn’t been easy for small organisations to become GDPR compliant. Legal bases for processing, data auditing and privacy policies take time to understand and there are no quick fixes for making sure people’s personal data is being processed legally. For sole traders this has been particularly difficult.


In addition to the services that the ICO has to help this community understand their responsibilities, it will also soon be establishing a ‘one-stop shop for SMEs’, drawing together the expertise from across ICO’s regulatory teams to help it better support those organisations without the capacity or obligation to maintain dedicated in-house compliance resources.


All organisations

The ICO has put comprehensive guidance in place to help all organisations understand and comply with their obligations. The aim is now to focus on where existing guidance still needs to be updated and ensure the continued provision of a clear and comprehensive guide to the law.


Alongside guidance, the ICO also has responsibility for creating four statutory codes for:


  • data sharing
  • direct marketing
  • age-appropriate design
  • data protection and journalism

These codes are being developed and will play an important part in supporting the implementation of the GDPR in these areas.


Data sharing code

The data sharing code will update the existing data sharing code of practice, which was published in 2011 under the DPA 1998. Data sharing brings important benefits to organisations, citizens and consumers, making their lives easier and helping with the delivery of efficient services.


One of the myths of the GDPR is that it prevents data sharing, which isn’t true. The GDPR aims to ensure that there is trust and confidence in how organisations use personal data and ensure that organisations share data securely and fairly. To achieve this, it is important that data controllers have clear guidance on data sharing so that individuals can be confident that their data is shared securely and responsibly.


A call for views on the data sharing code closed in September 2018. The ICO is currently considering the views presented and expect to launch a further consultation in June 2019 and for the code to be laid before Parliament in the autumn.


Acting on personal data breaches

The ICO received around 14,000 personal data breach (PDB) reports from 25 May 2018 to 1 May 2019, this is in comparison, to around 3,300 PDB reports in the year from 1 April 2017.


12,000 of these cases were closed during the year and of these, only around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or civil monetary penalty. While this means that over 82% of cases required no action from the organisation, it demonstrates that businesses are taking the requirements of the GDPR seriously and it is encouraging that these are being proactively and systematically reported.


However, figures also show that it remains a challenge for organisations and Data Protection Officer’s (DPO) to assess and report breaches within the statutory timescales. The ICO recognise this and do provide support and guidance to help organisations to meet the requirements to report.


Responding to public concerns

Greater awareness of individual rights has meant that the ICO has seen a significant impact on the numbers of concerns raised with it by the public. From 25 May 2018 to 1 May 2019, over 41,000 data protection concerns were received from the public which is almost double for 2017/18 which was around 21,000.


Subject access requests (SARs) remain the most frequent complaint category, representing around 38% of data protection complaints received. This is similar to the proportion before the GDPR (39%). In fact, the general trend is that all categories of complaint have risen in proportion with the overall increased number of complaints since the implementation of the GDPR.


ICO resource

Due to GDPR the ICO’s workforce has increased and it is anticipated that by early 2020/21 the ICO will have almost doubled in size over three years. As might be expected, training and developing new staff has been a key feature of the past year.


Looking forward

Even with the changes and achievements in the first year of GDPR, the ICO says that it is clear there is much left to do. It will continue to strive to deliver regulatory outcomes which support its mission of upholding information rights for the UK public in the digital age and the trust and confidence in how data is used. 


The ICO will continue to focus on the areas identified as its regulatory priorities. These include:


  • cyber security
  • AI, big data and machine learning
  • web and cross-device tracking for marketing purposes
  • children’s privacy
  • use of surveillance and facial recognition technology
  • data broking
  • the use of personal information in political campaigns
  • freedom of information compliance.


Read the full report from the ICO ‘GDPR one year on