ICO enforcement overview – supporting data

Overview of ICO enforcement action, based on their transparency information

In this overview, we took stock of ICO enforcement and penalty notices that were released following the entry into force of the GDPR (2018). The analysis was carried out by relying on publicly available data — namely, ICO transparency reporting on their enforcement action.1

Results show that the ICO overwhelmingly focused on data protection breaches in the context of

  • direct marketing communications (unsolicited emails, nuisance calls, or otherwise contacting data subjects lacking a suitable legal basis for doing so)
  • data security (data breaches or lack of technical/organisational measures in place)

Indeed, 23 out of 35 enforcement notices, and 11 out of 15 penalty notices, were issued against data processing activities related to direct marketing. Further 7 enforcement notices and 1 penalty notice were issued against failures to secure personal data. The remaining notices were issues against SAR failures, unlawful processing, and non-payment of the data protection fee.


  1. Direct marketing and data security make the overwhelming majority of ICO actions since the entry into force of the GDPR (79%);
  2. There are only two cases where the ICO investigated data marketing or data security issues, and enforced against “more complex” data protection issues than unsolicited communications or data breaches. This is the case of Experian and Ticketmaster UK Limited;
  3. Investigations into data analytics for political purposes resulted, within our selected sample, in actions which targeted fairly simple issues such as nuisance calls or unsolicited texts.

Overall, it ICO actions appear to be focusing on rather straightforward breaches of the law. This pattern seem to be true even when the ICO engaged into more complex investigations (such as in the case of data analytics for political purposes).

1Source: https://ico.org.uk/action-weve-taken/enforcement/