The UK data regulator has revealed its staff received four times as many reports of personal data breaches during an "unprecedented" 2018/19 against the previous financial year.
During the first year of the EU's General Data Protection Regulation (GPDR) the Information Commissioner's Office (ICO) looked into a staggering 13,840 reports from organisations versus 3,311 during 2017/18.
Similarly, the number of complaints received from the public rose from 21,019 in 2017/18 to 41,661, according to figures revealed in the regulator's annual report.
Data protection reports submitted by businesses mostly emanated from organisations in general business, 18%, as well as the health sector and education sector, 16% and 13% respectively.
ICO admits its own cookie policy is non-compliant with GDPR General Data Protection Regulation (GDPR) ICO wants to fix the data trust deficit
Organisations were also twice as reliant on the ICO for advice or guidance during 2018/19. The number of contacts the ICO held with individuals or businesses climbed from 283,727 during 2017/18 to 471,224 last year. These amount to phone calls, live chats, and written correspondence.
"The ICO has covered an enormous amount of ground over the last year," the Information Commissioner Elizabeth Denham said. This spanned the introduction of GPR to record-setting fines and a record number of people raising data protection concerns.
"The biggest moment of the year was the GDPR coming into force.
"This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren't being respected. The doubling of concerns raised with our office reflects that."
The ICO also revealed that its staffing had grown from 505 to more than 700, with the majority of new hires in areas within the organisation handling data protection complaints and customer contact.
Its annual report also pointed to research from March that showed 64% of organisations said they had noticed an increase in users exercising their information rights, as a sign of ICO success in promoting data protection principles.
In terms of financial penalties, meanwhile, the ICO levied 22 fines during 2018/19, totalling more than 3 million for investigations adjudicated under the Data Protection Act 1998.
This involved data protection incidents, like hacks or leaks, that took place prior to GDPR being introduced on 25 May 2018.
The penalties accrued includes two maximum 500,000 fines for Equifax Ltd and Facebook for data breaches affecting 15 million UK citizens and 87 million worldwide users respectively. Uber, the Crown Prosecution Service (CPS), and Yahoo! were also issued fined amounting to 960,000 all together.
These figures are a far cry from the eye-watering sums discussed prior to GDPR's introduction, with organisations facing penalties of up to 20 million or 4% of turnover. But this can be explained by the fact the ICO concluded no investigations into incidents occurring after GDPR was introduced during the 2018/19 window.
The report, however, was released just as the ICO issued its second prospective GDPR fine against an organisation in as many days, with more expected to follow in the coming months.
From just two probes into British Airways and Marriott, the treasury could reap up to 282 million in data protection fines.
"So many of our conversations are around the use of personal data in digital services," Elizabeth Denham continued. "It is early stages, but the GDPR has so far demonstrated that it is a law that can work alongside emerging technologies and creative approaches.
"There's no dichotomy between digital innovation and data protection. But progress relies on consumers trusting organisations with their data, and organisations stand at the front line on this.
"For our part, we are working on key guidance and codes, notably around internet harms and age-appropriate design online, that we believe will increase this trust."
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
