The Information Commissioner’s Office (ICO) has published its 2018/19 Annual Report, covering the 12 months to 31 March 2019. This is the ICO’s first annual report to parliament since the GDPR came into force in May 2018. It sets out exactly what the ICO has been up to in what has been an interesting year. We take a look at some of the key takeaways you need to know about.


Unsurprisingly in the year of the GDPR, the ICO has been busy. The ICO fielded just under half a million enquiries in the form of calls, online chat requests, and written requests. This is a 66 per cent increase on the year before.

Often missed in the noise around the GDPR, the ICO issued 23 monetary penalty notices for violations of the Privacy and Electronic Communications Regulations (PECR). PECR regulates the use of cookies and electronic marketing. The total quantum of the ICO’s PECR fines was a little over £2 million. This is clear proof that companies delaying reviewing their cookies and electronic marketing strategies until the new ePrivacy Regulation comes into force should reconsider their approach.

Last year, the ICO received notice of over 13,000 personal data breaches, nearly four times as many as it had the year before. Of these, less than 1 per cent led to a monetary penalty or fine.

Over 41,000 data protection complaints were made to the ICO last year, about twice the level in 2017/18. Of these complaints, the majority were made against the “general business” sector. Just over 16 per cent of complaints were made against firms in the health sector. Approximately 10 per cent of complaints were made against firms in the finance, insurance, and credit sector.


In response to the increasing levels of activity, the ICO has grown its headcount by nearly 40 per cent. It now employs the equivalent of 700 full-time staff. The Annual Report sets out plans for further growth to approximately 835 staff by 2020/21.


The Annual Report identified key sources of income for the ICO:

  1. Data protection notification fees – this includes fees collected from data controllers, which were increased last year to a maximum of £2,900. Last year, income from these fees was just over £39 million, an 84 per cent increase on the previous year. This is expected to further increase to £46 million this year and £49 million by 2020/21.
  2. Civil monetary penalties – the ICO can impose civil monetary penalties for serious breaches of the Data Protection Act 2018 or PECR. Last year, income from this revenue stream was nearly £5.5 million. Given the ICO’s recent notices of its intention to levy cumulative fines of approximately £280 million against just two companies, we expect this figure to dramatically increase this year.

Regulatory coordination

Last year saw the ICO team up with a number of other UK regulators. These included Ofcom, the broadcasting and telecommunications regulator; the Competition and Markets Authority; and the Financial Conduct Authority. The ICO also created the Regulators’ Business and Privacy Innovation Hub. The ICO hopes that this will help to coordinate regulatory scrutiny of data protection issues by various UK regulators. This year, the ICO will join the UK Regulators Network, an association of 11 British regulators from the utility, financial and transport sectors. Expect 2019/20 to see continued collaboration between regulators.


The ICO has identified the importance of data protection to prospective international trade deals. The Annual Report identifies maintaining digital trust and data sharing as a key focus. This builds on the ICO’s allocation of “significant resources” to establish relationships with other regulators outside the EU. This has included the ICO joining a number of international networks and advising other countries, such as Brazil, on the development of data protection laws.


The Information Commissioner described last year as a “busy and crucial” year. The Annual Report underlines the ICO’s intent to build capacity, augment its services and regulate privacy and data protection issues in a sophisticated manner. We expect 2019/20 to be even busier again for the ICO. Keep an eye on our blog – we’ll be sure to bring you the latest developments as they happen.