The analysis highlights some very interesting facts and trends, and provides valuable insights into ICO's enforcement strategy and how it translates into action. Here are a few examples:
- - 2012 was the most prolific year yet for ICO enforcement action: ICO imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings
- - Whilst the public sector has been the main focus of enforcement action, the focus is now shifting to the private sector (which has been confirmed by the enforcement activity in early 2013)
- - Data security breaches remain the most regulated type of failure (no surprises here). For instance, out of the 25 fines, 22 were for security breaches, 1 was for breach of the data accuracy rule of the Data Protection Act 1998, and 2 were for breach of the direct marketing rules of the Privacy and Electronic Communications Regulations 2003.
- - Data controllers who voluntarily self report an incident to ICO are not given immunity from enforcement; for instance, 21 of the 25 fines were for self reported breaches.
It is obvious from the cases that ICO does not hesitate to take serious enforcement action and is becoming a real force to be reckoned with and a driver for change. Looking at the year ahead, we can expect ICO's enforcement activity to continue at this pace or even intensify, focusing in the areas that ICO has prioritised as posing a higher data protection risk, namely health; internet and mobile; financial services; security; and criminal justice. Although the public sector will remain firmly on ICO's radar, we expect the regulator to turn more of its attention to the private sector. This is likely to mean more serious enforcement action, but also, we believe, a greater appetite to challenge enforcement actions.
In Session 1 of our Privacy and Security Breakfast Briefings for 2013 (scheduled for April 2013) we will present and expand on the findings of our analysis as set out in the Tracker. We will dissect ICO's strategy and enforcement action in order to identify the highest risk areas, understand the trajectory of enforcement action and what our organisations should be doing to manage the risk of failure and enforcement action.
To receive a copy of our ICO Enforcement Action Tracker 2012 or to secure an invitation to Session 1 of our Privacy and Security Breakfast Briefings for 2013 please email firstname.lastname@example.org.