As the UK grapples with if, how, when and exactly what it will replace GDPR with (or not), there’s some data which shows the wider compliance gap with whatever data protection regime the UK will come up with.
Data from the UK government’s own impact assessments paint some stark figures. There are over 4 million companies in the UK, each one of these registered with Companies House. There is just over a million companies registered as data controllers on the ICO’s public register.
If only 1 in 4 UK companies are registered with the ICO, this presents a significant gap in current data protection compliance. It is a legal requirement for any business or sole trader who processes or controls personal data to register with the ICO. Despite the specific exemptions around purely running staff administration or processing information without a computer, there is very little reason a business would be exempt from registering with the ICO. Still, around 3 million businesses in the UK have not done so.
With ICO registration all but mandatory, the enforcement gap with the current data protection rules in the UK, the Data Protection Act 2018 and the UK version of GDPR is also costing the ICO potentially millions in revenue. Fees from registration total around £59m per year, with the cost of running the ICO around £56m. Yet with only 1 in 4 companies registered, there are millions more in uncollected fees that should be used to fund the ICO. Whatever the changes to the UK’s data protection legislation, the ICO is still vital to conduct investigations, provide advice, enforce the rules and protect the 67.1 million data subjects in the UK. With more funds, the ICO can be more effective.
From the EU perspective, GDPR enforcement is ramping up. While in the past, regulators such as the Irish Data Protection Commission were criticised for failing to tackle flagrant breaches by Google, and other cross-border investigations against the big tech giants like Facebook, Apple, Twitter and TikTok have languished, the tide is turning. Meta, Facebook’s owner was fined €390m again in 2023 after already receiving a €405m fine in 2022, Google fined €50m and Amazon fined a whopping €746m for GDPR violations.
The ICO’s enforcement actions have notably lagged behind, but with a noted shortfall in funding and potentially more powers to treat PECR breaches with the same severe fines that we’ve seen against the big tech giants, i.e. up to 4% of annual global turnover, the compliance gap may soon be closing.
If your business is not already registered with the ICO, you should do so now. Data protection training is still required and more important than ever as the risk of cyber breaches and phishing attacks increases. Despite the often-discussed changes to the UK’s data protection regime, UK GDPR is still in force in the UK, and there is no date yet for any potential changes to the regime. Even with changes, training will still be required as the fundamentals of the data protection system, such as data minimisation and lawful basis for processing, are not going anywhere. With 1 in 4 companies failing to do the basics of compliance and register with the ICO, now is not the time to go lax on data protection compliance.