Is data protection enforcement more difficult under GDPR?

In this post we discuss whether the 13 months old GDPR regulation is proving more difficult to police that the old Data Protection ACT 1998.

The DPA 1998 is now quite old and for the eagle eyed is also obsolete, but the fines and enforcement notices were steady.  Roughly speaking, we would say that there were a handful or so of fines and enforcements each month under the DPA 1998. This has continued right up to the present day with past misdemeanours being prosecuted under the regulation which was in force during the time the offence was committed.

In recent posts we highlighted that the Metropolitan Police had been one of the first organisations to be served an enforcement notice under the DPA 2018, which came into force on the same day as the GDPR.

Looking back at the history of ICO fines and enforcement we see a pattern whereby notices and fines seem to take around 10-11 months to work their way through the system and be notified on the ICO website.

With this pattern in mind we would by now be expecting to see DPA 2018 and or GDPR offences being posted. However, this does not seem to be the case. We are now 13 months into the 2 new data protection laws and the notices and fines are few and far between, and certainly not with the same regularity as the old DPA.  Also, since we would have expected to see more complaints and hence more investigations, we must ask ourselves what is going on?

We don’t have the answer but we can speculate.

It may be that the ICO was very familiar with the old DPA and had a back history of offences to fall back on when looking at enforcement. Therefore, the process was somewhat mechanical.

The GDPR and the DPA 2018 are not only enhancing the existing rules but adding new elements and the potential fines are much higher. We can also consider that prosecutions under the new rules are likely to be test cases for the ICO. So, it is possible the ICO is dotting the I’s and crossing the t’s before bringing the cases. It might not look so good if the first cases to be brought were to end in failure.

One other reason may just be the volume and or the complexity of the cases, there are statistics already showing that the number of complaints being brought under the GDPR are significantly higher than under the previous regime. Even though the ICO has increased its staffing there is no doubt that more complaints mean more work and longer delays.

So, when are we going to see the regular posting of GDPR and DPA 2018 fines and enforcement notices? Our guess is not very far off and we also expect the volume to be much greater, and the fines to be higher. How many, how much and how often only time will tell.

Watch this space…

Between writing this post and getting it up on the website British Airways has become on one of the first to be issued with a hefty £183 million fine for breaching data protection rules. 

BA are to appeal against the fine and haven’t made public whether any compensation has been paid……. 

But who knows how to claim for a data breach…?

Read our next post, “GDPR, PCI DSS and non-material damages all might cost BA dear

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2019.