UK – The GDPR by numbers: No fines in the (immediate) pipeline
As the General Data Protection Regulation fast approaches its first anniversary, we thought it would be useful to look at some of the metrics on its implementation in the UK. The figures, released under the Freedom of Information Act 2000, reveal:
We consider the implications below.
No fines in the (immediate) pipeline
The Information Commissioner’s power to issue administrative fines is reserved for the most serious cases. The Information Commissioner follows a structured internal enforcement process that leads up to the service of a Notice of Intent (see section 155(5) and Schedule 16, DPA 2018). The relevant controller or processor then has at least 21 days to respond to that Notice of Intent before an actual fine is issued.
Our first key finding is that, as of 15 March 2019, the Information Commissioner has not issued any administrative fines and has not even issued a Notice of Intent.
In many ways, this is not surprising. A review of monetary penalty notices issued under the old Data Protection Act 1998 showed it took around 500 days from a breach occurring to a monetary penalty notice being issued. Applying a similar timescale here suggests the first administrative fines will not be issued until October this year. The enforcement process takes time.
So, while there are no administrative fines in the immediate pipeline, that is not to say they won't emerge later on in the year or that the Information Commissioner will not match the €50m fine the CNIL served on Google (here). There have also been a number of fines for non-payment of fees (see below).
Only three DPIA’s have required consultation
Controllers are obliged to consult their supervisory authority prior to the processing of data if their data protection impact assessment (“DPIA”) indicates that the processing would result in “high risk” and those “high risks” cannot be mitigated (Article 36).
To get a sense of how controllers are responding to this requirement in practice, we asked the ICO to confirm how many DPIAs had been submitted for consultation and how long the ICO took to review those DPIAs.
The ICO has confirmed that, as of 22 February 2019, 18 DPIAs have been submitted for consultation as being potentially high risk. However, of the 18 DPIAs submitted only three were assessed as actually being of high risk and so required consultation. The ICO provided written advice in relation to those DPIAs, the response taking two months on average.
These numbers are relatively low suggesting that controllers are taking a robust approach to determining what constitutes “high risk” processing or they have been successful in mitigating those risks (or both).
No minor transfers. None at all
One of the innovations under the GDPR, was the so-called “minor transfer exemption”. This would allow the transfer of personal data to a third country where no other derogation applied, subject to certain criteria. However, those criteria are exceptionally strict. The transfer must not be repetitive, only limited data subjects can be affected, there must be a compelling interest in the transfer and the risks must have been assessed and safeguarded (Article 49(1)bis).
Most importantly, the minor transfer exemption requires the controller or processor to notify the data subjects and the Information Commissioner. The Information Commissioner has confirmed that, as of 15 March 2019, she has received no such notifications.
In other words, there have been no transfers of personal data from the UK to a third country in reliance on the minor transfer exemption. This suggests that the minor transfer exemption has failed as a regulatory innovation. Far from being a convenient means to justify small transfers, it is simply being ignored.
A healthy community of data protection officers
Controllers and processors must designate data protection officers in certain cases, for example, if their core processing activities involve “regular and systemic monitoring” of data subjects. Controllers and processors that are subject to this obligation are required to communicate the details of their data protection officer to the Information Commissioner.
Figures from the Information Commissioner show a healthy growth in this new class of privacy professional. As at 19 February 2019, 26,573 data protection officers have been notified to the Information Commissioner. The breakdown per month is set out below. As would be expected, the highest number of notifications were made in the few months following GDPR implementation. The later notifications may also reflect a degree of turnover amongst data protection officers.
Month | No of DPO notified |
May 2018 | 4,437 |
June 2018 | 5,216 |
July 2018 | 4,183 |
August 2018 | 2,925 |
September 2018 | 2,390 |
October 2018 | 2,623 |
November 2018 | 2,050 |
December 2018 | 1,398 |
January 2019 | 1,351 |
Total | 26,573 |
Fines for non-payment
Finally, under the Data Protection (Charges and Information) Regulations 2018, controllers are required to pay a fee of between £40 and £2,900 to the Information Commissioner to fund her office.
The Information Commissioner has been particularly vigilant when enforcing these Regulations. As of 25 January 2019, she has issued 1,936 notices of intent for non-payment and issued 103 fines for failure to respond to those notices of intent. The aggregate amount received in fines was £26,600.
By Christina Mysko