The year in UK GDPR regulatory enforcement action

The ICO’s approach to enforcement is still risk-based, but increasingly targeted. By Richard Jeens, Ross O’Mahony and Alex Buchanan of Slaughter and May.

When John Edwards took office as the new Information Commissioner in January 2022, he faced a dauntingly full in-tray. Since the introduction of the GDPR in May 2018, the ICO has been criticised for a sometimes inconsistent and opaque approach to regulatory enforcement, with concerns expressed about decision-making regarding fines, resourcing issues and technical capacity. More recently, the ICO has, perhaps unfairly, come under scrutiny for “going easy” on the public sector and endorsing the DCMS’ controversial data protection legislative reform plans.

A year in, how much has changed? What evidence is there that the UK has, in the Commissioner’s words, “gone [its] own way”(1) in empowering businesses to use information responsibly to invest and innovate whilst encouraging individuals to confidently share their information when engaging in products and services that drive the economy? And what role has the administrative court system had in ‘regulating’ the regulator and shaping the enforcement landscape?

Continue Reading

UK Report subscribers, please login to access the full article


If you wish to subscribe, please see our subscription information.