In 2024, the UK’s Information Commissioner’s Office (ICO) focused the majority of its GDPR enforcement actions on public sector organizations, a recent analysis by URM Consulting has revealed. Out of the 31 total enforcement actions, 27 were targeted against public sector entities, with only four actions taken against private companies. These actions ranged from fines to reprimands and enforcement notices.
One notable aspect of these enforcement actions is that only three of them resulted in fines. This can be attributed to a policy shift announced by the ICO in July 2022, where the regulator pledged to levy fewer financial penalties and in smaller sums against the public sector. The rationale behind this decision was to prevent any negative impacts on public services.
The fines that were issued in 2024 pertained to accidental data leaks that exposed sensitive personal information of individuals, some of which even put lives at risk. Stuart Skelly, Senior Consultant at URM, highlighted the severity of these breaches, stating that the nature of the violations in each case was egregious. For instance, the breaches at the YMCA involved highly sensitive health data, while the incidents at the Ministry of Defence (MOD) and the Police Service of Northern Ireland (PSNI) posed a real threat to people’s lives.
Even though fines were imposed in these cases, the levels were significantly reduced from the initial amounts that were proposed. Originally, PSNI faced a £5.6m fine, and MOD was looking at a £1m penalty. The remaining public sector enforcement actions included reprimands (18) and enforcement notices (11), demonstrating the depth and breadth of the ICO’s regulatory activities in 2024.
Looking back at 2023, there were no enforcement notices issued to public sector organizations under GDPR by the ICO, marking a shift in the regulatory landscape. Overall, there were 62 instances of enforcement action against 47 organizations by the ICO in 2024, with a significant portion of these actions falling under the Privacy and Electronic Communications Regulations (PECR).
The ICO’s approach to imposing fines diverged from its EU counterparts in 2024. Out of the 18 fines issued by the ICO, 15 were related to breaches of the PECR. However, the proportion of fines attributed to UK GDPR violations increased, accounting for one sixth of the total fines levied. The average fine imposed by the ICO in 2024 was £153,722 ($191,300), a significant drop from the previous year’s average of £816,471 ($1.01m), which was heavily influenced by a £12.7m penalty imposed on TikTok.
In total, the 18 fines issued in 2024 amounted to £2.7m ($3.4m), with the highest penalty of £750,000 imposed on MOD. This stark contrast in fine amounts between the UK and EU regulators was highlighted by law firm DLA Piper, who reported that GDPR fines issued across the EU totaled €1.2bn ($1.26bn) in 2024, with the Irish Data Protection Commission alone issuing €3.5bn ($3.7bn) in fines since May 2018.
Despite these differences, the researchers from URM Consulting anticipate that the ICO will continue its cautious approach to financial penalties in 2025, reflecting the UK regulator’s unique philosophical stance compared to its EU counterparts. In a statement to The Times in November 2024, UK Information Commissioner John Edwards expressed skepticism about the effectiveness of levying fines on big tech firms, warning that it could lead to prolonged litigation for the ICO without necessarily achieving the desired compliance outcomes.