Data Protection

GDPR anniversary to be marked with big fines



The first anniversary of the General Data Protection Regulation (GDPR) on 25 May is likely to marked with big fines, says data and privacy law firm Collyer Bristow.

The Information Commissioner’s Office (ICO) has to date announced just 127 enforcement notices despite there being an estimated 10,000 data breaches in the UK and 59,000 breaches across the EU since the introduction of GDPR in 2018.

Fines have been handed down by the ICO, most notably to HMRC, Vote Leave and Uber, but not to the same extent as its European counterparts – French regulators have, for example, fined Google €50m for data breaches – and to the full levels within its power.

Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow said: “Organisations may have begun to feel complacent about their GDPR obligations, but that would be a mistake.”

“The ICO has teeth and very real powers.  Whilst the ICO’s position is that fines are a last resort in persuading businesses to comply with the GDPR it can fine organisations up to the greater of €20m or 4% of global turnover, and we are expecting it to hand down some pretty hefty fines any day soon to coincide with the first anniversary of the GDPR regulations.” 

Patrick adds: “There are good reasons for the ICO to make its presence felt now. In the last 12 months we have seen major data breaches from, to name just a few, British Airways, Ticketmaster, Facebook and HMRC. The ICO will want to show that it takes its responsibilities seriously, that it has teeth, and that it wants businesses to work hard to comply.”

And it is not just data breaches that are attracting fines. Organisations that fail to pay the annual registration fees for managing personal data are already being fined, albeit at much smaller levels.

Patrick adds: “Top end paint manufacturer Farrow and Ball have been fined £2,900 for non-payment of its registration fee. It argued in an appeal that it missed the deadline because of staff holiday, but that did not excuse its lack of a proper compliance procedure. The ICO is beginning to take a tough line.”

Collyer Bristow reminds businesses faced with a data breach of the steps they must now take:

  • Investigate to establish whether a breach has occurred and its likely impact.
  • Breaches affecting the rights and freedoms of individuals need to be addressed immediately.
  • If such a breach is confirmed it must be reported to the ICO within 72 hours.
  • Your data protection team must then take all necessary steps to stop it continuing and:
    • Establish how the breach occurred
    • Investigate the extent of the information breached
    • Determine the consequences of breach
    • Outline measures to prevent further breaches
  • Determine then whether specialist legal and crisis management advice is needed
  • Review your current data and cyber security arrangements
  • If appropriate, disclose the data breach to those affected and wider stakeholders. Full disclosure and reassurance about the corrective steps being taken is often the best policy.
  • And do not forget to notify ICO within 72 hours.

Patrick Wheeler is available for interview.  He can be reached by email: .


You are contacting

Patrick Wheeler

Talk to Patrick about Intellectual property disputes & Data protection & Intellectual property


    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.