The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”.

Supporting the public, DPOs, SMEs and other organisations

The first year of the GDPR has made individuals aware of the control they have in relation to their personal data and of the powers regulators have in connection with protecting such rights. On the flip side, organisations have been under pressure to ensure their handling of personal data is compliant under the new regime. The ICO has seen an increase in engagement from businesses, data protection officers (DPOs) and individuals. The number of contacts made via the ICO helpline, live chat and written advice services has increased by 66 per cent in the past year.

Still, the ICO has pointed out that there is “a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation”. Almost half of respondents to the ICO survey confirmed they had experienced certain unexpected consequences resulting from the GDPR.

The ICO has, therefore, continued to produce comprehensive guidance, blogs, toolkits, checklists, podcasts and FAQs to support businesses, especially small organisations and sole traders where GDPR compliance may have been particularly challenging. Guidance released by the ICO has included: the Guide to the GDPR, the Guide to Law Enforcement Processing, and its interactive tools for understanding lawful bases for processing and for continued data flow in the event of a no-deal Brexit.

Statutory codes of practice

The ICO aims to develop four statutory codes of practice, to be finalised by autumn 2019:

  1. the age-appropriate design code – which sets out 16 standards of age-appropriate design for providers of online services and apps likely to be used by children or likely to process children’s personal data;
  2. the data sharing code – which updates the 2011 data sharing code of practice issued under the Data Protection Act 1998 and, specifically, ensures there is reinforced confidence and trust in how fairly and securely organisations use and share personal data;
  3. the direct marketing code – which ensures that direct marketing continues to be a useful tool for organisations to grow their business or publicise and gain support for causes, while at the same time avoiding being intrusive to customers and ensuring compliance with the GDPR; and
  4. the data protection and journalism code – which strikes a balance between privacy, respect of data subjects’ rights and freedom of expression.

In light of recent data analytics for political purposes, the ICO also intends to develop and seek statutory footing in Parliament for a code of practice on political campaigning (elections and referenda). This code will ensure that personal data is used in political campaigns in a transparent, understandable and lawful manner.

Enforcement actions

Rest assured, enforcing the GDPR is not just about big fines. In fact, the ICO’s regulatory objectives have a constructive purpose in that they are to: (i) respond swiftly and effectively to breaches, focusing on those involving highly sensitive information; (ii) target organisations and individuals suspected of repeated or willful misconduct or a serious failure to take steps to protect personal data; (iii) support compliance with the law and promote good practice; (iv) be proactive in identifying and mitigating emerging risks from technological and societal change; and (v) cooperate with other regulators and interested parties in navigating the global and interconnected technological landscape of the modern world.

Businesses are clearly taking the requirements of the GDPR more seriously and are being more proactive in reporting to the ICO, especially when they suffer personal data breaches. Within a one-year span, the ICO received 14,000 personal data breach reports, an increase from 3,300 in the previous year. The ICO closed 12,000 of these cases, with only 17.5 per cent requiring action from the organisation and only 0.5 per cent resulting in a monetary fine. These statistics show that the ICO’s mandate is not to penalise but rather to accomplish correct data protection practices.


Looking to year 2 of the GDPR, the ICO recognises it is essential for it to keep abreast of technology and cyber-security developments. It admits that “the challenges are as real for the ICO, as a regulator, as they are for those we regulate”. To stay ahead of the curve, the ICO is continuing to expand – from a workforce of 505 in 2018 to 825 by 2020/21.

For the next year, the ICO is set to focus on busting myths in the evolving landscape of: cyber security; AI, big data and machine learning; web and cross-device tracking for marketing purposes; children’s privacy; the use of surveillance and facial recognition technology; data broking; the use of personal information in political campaign; and freedom of information compliance.

For more of our GDPR-anniversary bonanza, you can also read our series of thought pieces, including what to consider for your year 2 to-do list and how some sectors have been affected by the GDPR’s opening year.