The ICO reports on a “transformative period” for data protection


The Information Commissioner’s Office (ICO) has published its 2019/20 annual report. In this, the regulator shares what it has been up to in a “transformative period” for data protection.


What is the ICO?


The Information Commissioner’s Office (ICO) is the UK’s data protection regulator.

It exists to protect your information rights and data privacy.

It also helps organisations to meet their obligations under the Data Protection Act (the UK’s interpretation of the GDPR).

If you discover that your personally identifiable information* has been compromised in a data breach, you can ask the ICO to investigate why this happened.

*Personally identifiable information (PII) is any data that can be used to identify a specific individual – either on its own or together with other information. Examples include full names, bank account numbers, passport numbers, email addresses and a whole range of other data.

What does the report say?


Key findings in the ICO report include:

  • The period saw the ICO handle 38,514 data protection complaints
  • 39,860 data protection cases were settled during this time (up 15% year-on-year)
  • The ICO conducted more than 2,100 different investigations
  • The ICO took regulatory action 236 times in response to data protection breaches. This includes 15 fines and eight prosecutions.

During the 12 months to 31 March 2020, the ICO also levied two of the largest GDPR fines seen so far. These were the multimillion-pound fines against BA and Marriott.

Speaking about the past year, the information commissioner Elizabeth Denham said:

We have seen a transformative period in our digital history, with privacy established as a mainstream concern, and with complex societal conversations increasingly asking data protection questions”

What else has the ICO been up to?


Over the last 12 months, the ICO has also:

  • Commented on The Age Appropriate Design Code, which was published in January. This will help steer businesses to comply with current information rights legislation when it comes into full effect
  • Highlighted concerns about how technology could infringe on individual rights when it intervened in a High Court case on the use of facial recognition technology by the South Wales Police
  • Provided guidance for organisations on data protection and Brexit to help them comply with the law once the UK leaves the EU
  • Launched a new freedom of information strategy which sets out how it is working to create a culture of openness in public authorities
  • Settled a case with Facebook
  • Worked with a number of organisations to explore new data uses in a safe way while helping to ensure customer privacy
  • Received resources to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data
  • Encouraged innovative research into privacy and data protection issues via its research grants programme
  • Launched a consultation on an AI framework to look at the risk and management associated with AI applications
  • Continued to chair the Global Privacy Assembly, which is looking at ways to protect personal data as it crosses borders (and businesses operating internationally). 

The period covered by the report does not reflect the impact of COVID-19. However, Ms Denham did acknowledge the pandemic, stating that:

The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”


She added:  

The law has not changed, and the ICO continues to be a proportionate and practical regulator.”

In March 2024, our firm changed its name to KP Law. 

Share this article: