The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number of self-reported personal data breaches and a summary of fines issued by the ICO.

Upward trends

The ICO received a huge increase in telephone, live chat and written queries from the public and organisations. In the last quarter of 2017, it received 30,000 more such calls than in the previous three months. The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1 per cent year-on-year, while 30,469 live chats were requested, up 31.5 per cent. Of the queries received, the majority of concerns related to data subject access (39 per cent), the disclosure of data (16 per cent), the inaccuracy of data (11 per cent) and securing the right to prevent processing (9 per cent).

With regards to personal data breaches, the number of self-reported cases increased significantly: 3,172 incidents were reported to the ICO over the course of 2017/2018, a 29.6 per cent increase. It is anticipated that the number of self-reported data breaches is likely to increase further during the 2018/2019 report period, to reflect the new mandatory data breach notification requirements under GDPR. This position was confirmed during an ICO webinar, where it was revealed that there were 1,792 personal data breaches notified to the ICO in June, a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase compared to April, when just 367 notifications were received.


The ICO issued £1.29 million in fines for serious failures under the DPA. These were issued alongside £138,000 in fines to charities for unlawfully processing personal data and a further £80,000 penalty issued to a data broking organisation. Breaches of the Privacy and Electronic Communications Regulations (EC Directive) 2003 (‘PECR’), gave rise to 26 organisations being fined a collective £3.28 million for nuisance calls and spam texts, amounting to the greatest number and amount of penalties the ICO has issued in its history. Further, the ICO launched 19 prosecutions in 2017/2018, resulting in 18 convictions under the DPA, and issued a further six cautions. Within the report, the ICO highlights its ongoing investigation into 30 organisations, including Facebook and Cambridge Analytica, regarding the misuse of personal data in political campaigning. As part of these investigations, the regulator levied a £500,000 fine against Facebook earlier in July – the maximum possible fine under the previous regime – for two breaches of the DPA.


The annual report by the ICO demonstrates the positive changing attitudes to privacy and data protection in the UK. The report highlights an increase in self-reported breaches and a significant rise in communications and queries, evidencing that privacy and data protection matters have become more important to individuals and organisations. With a new legal framework under the GDPR and increased public interest, companies appear to be taking their responsibilities more seriously, while the public has become increasingly aware of its rights in relation to their personal data.