The UK’s Information Commissioner’s Office (ICO) is yet to impose a fine under the GDPR, though we understand that a fine is imminent. The most notable fine since 25 May 2018 was a fine of GBP 500,000 against Facebook (the maximum penalty under the Data Protection Act 1998).
In April 2019, the Home Office accidentally shared the email addresses of hundreds of EU citizens applying to stay in the UK after Brexit. The ICO were alerted to this incident and have said they will make an assessment, but no decision has yet been released.
Although no fines have yet been issued under the GDPR, the ICO have issued ten enforcement notices under the Data Protection Act 2018 and GDPR.
On 23 May 2018, the DPA 2018 became UK law, implementing the EU’s General Data Protection Regulation (GDPR). Some UK specific rules have been adopted, for example the ability for UK companies to process diversity data for the purposes of diversity monitoring without the consent of the data subject, and the criminal offence of deliberately failing to provide data to a data subject who has submitted a data subject access request.
The GDPR will be enacted in UK law after Brexit under section 3 of the European Union (Withdrawal) Act 2018.
Similar to other European countries, the UK has seen a rise in the number of data subject access requests submitted to data controllers, and also the number of data breaches reported to the ICO. The most commonly reported breach is a misaddressed email, rather than those breaches people typically imagine, for example systems being hacked.
Also, it is now customary to receive a data subject access request in conjunction with a grievance and a tribunal claim. Data subject access requests are used a tool for disclosure, but also as a tool to attempt to leverage more favourable terms from employers.