Timetable to first UK GDPR fines

Anyone who does even a limited amount of analysis of the ICO’s (Information Commissioner’s Office) website can see that, on average in the UK, the time elapsed between the committing of an offence under data protection legislation and the consequent decision about, and publication of, regulatory action takes about a year.

The ICO publishes decisions on regulatory action every month; you can see clear evidence of regulatory action having been taken in December 2017, November 2017, October 2017, and so on. Almost all of these notices concern a breach a year or more earlier. The likely reasons for the delay are alleged infractions have to be properly investigated before a decision can be reached, and the ICO is obliged to act proportionately.

So, at this point in January 2019 it would be wrong to say that the ICO is failing to take action to enforce the GDPR (General Data Protection Regulation). All you can reasonably conclude is that it’s unlikely there will be much substantive enforcement action before May/June 2019. “Unlikely” doesn’t mean “none”; the ICO has already exercised its powers under the GDPR in respect of Cambridge Analytica and of those organisations that failed to pay their data protection fee.

You could also conclude that a number of the 4,056 data security incidents reported to the ICO during Q2 (August – October) of 2018/19, as well as all those reported in May and June after the GDPR came into effect, are already under investigation; it’s too late for those organisations to get themselves GDPR-compliant.

It doesn’t have to be too late for your organisation, though. You can’t predict whether or not you will be breached, or if someone will lodge a serious complaint, but once that does happen, it’s suddenly too late to get your house in order.

The reality with GDPR compliance is that you must be compliant, ensure you stay compliant and hope that your compliance is never tested!