Last year, the 23 May 2018 to be precise, the UK adapted the General Data
Protection Regulations (GDPR). The deadline created a rush of publicity and
activity as businesses across the UK pored over their data processing systems,
making changes to accommodate the new rules.
After the deadline, its as if the curtain came down on GDPR and we moved on
to consider other pressing issues, Brexit for example.
ICO has not been idle
But the Information Commissioners Office (ICO) have not been idle. The ICO have created an “Action we’ve taken” page on their website. Using their new powers, the ICO have been quick to up their audits and investigations since May 2018. Political motivated organisations, regional police groups and other data processors have come in for closer scrutiny and where necessary fines and winding up notices have been issued.
For example, an organisation received a penalty of £200,000 and an Enforcement Notice for breaching ICO regulations by sending out nearly fifteen million unlawful SMS marketing messages to subscribers.
By the end of last year, the ICO had 79 cases under investigation, and on 17 December 2018, new powers were adopted through amendments to the Privacy and Electronic Communications Regulations 2003. The ICO says:
The new law allows the ICO to serve monetary penalties, of up to £500,000, on directors and senior officers of companies held responsible for making nuisance calls or sending nuisance messages or emails.
The new data protection regulations are here to stay
GDPR, and its enforcement by the ICO, is here to stay. In the coming months we will probably see an increasing number of cases bought by the ICO as their initial enquiries turn into litigation and the issue of penalty notices. Readers should also be advised that the GDPR has now been absorbed into UK law by the Data Protection Act 2018 (DPA). Even if we leave the EU and abandon its legislation the DPA will still apply. Data regulation and enforcement, it would seem, is here to stay.