Well that’s not quite true. It seems that the Information Commissioner’s Office (ICO) has been a little busy this year. There were big fines for Facebook, Equifax, Yahoo, Carphone Warehouse and even The Crown Prosecution Service. However, all the fines were levied under the old Data Protection Act 1998. As yet, nobody has received one of the colossal fines available under the new GDPR.
If you are reading this and thinking, “I knew I didn’t need to do anything about GDPR”, then let me share a couple of observations that could make you feel uncomfortable.
In September the ICO issued enforcement notices against 34 organisations that have failed to pay the new data protection fees. All organisations that process personal data, must pay a fee unless they are exempt. In the past, that didn’t seem to matter too much. I can’t recall any fines being levied against anyone for not paying the old registration fee before. Perhaps this is the first sign that the ICO will show it now has teeth. After all, there are lots of fines to be had because there are only about 500,000 organisations that have paid their fees. Yet, there are about 5 million businesses registered with Companies House. Show me a business that doesn’t process any personal data!
The next thing to be aware of, is the level of staffing at the ICO. This has increased from 400 to 670 in the two years since GDPR was ratified by the EU. The UK now has the largest data protection authority in Europe. I wonder what the ICO will do with all those extra people?