Why hasn’t the ICO issued any GDPR fines yet?

For those of you wonder what on earth the ICO (Information Commissioner’s Office) is doing in terms of regulatory action in relation to privacy, their latest update identifies some recent financial penalties:

These are all still related to the DPA (Data Protection Act) 1998, which demonstrates again how long it takes for actions to be concluded. These fines also demonstrate that targets can range from large public authorities to individuals ­– and the breaches are not classic cyber security breaches, but breaches of what should be established procedures.

The message for any of our customers that might be thinking that GDPR (General Data Protection Regulation) enforcement action will never happen or that, if it does, it will only be focused on the big firms, is that now might be the time to re-double efforts to establish DPbDabD (data protection by design and by default). After all, failure to do so can itself be punished with a 2% fine.