11 September 2020

The ICO’s Performance Highlights from 2019/20

By Faye Cheung, Researcher

Photo by Shahadat Rahman on Unsplash

The UK’s information rights regulator, the Information Commissioner’s Office (ICO) has published its Annual Report for 2019/20. It has been a busy 12 months for the independent body, which identified the year as a key period in data protection and broader information rights, with privacy being established as a ‘mainstream concern’. The ICO covers a number of important pieces of legislation, which are likely to have direct impact on most businesses, including the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR). Therefore, the ICO’s annual report is an excellent way to gain insight into developments that could affect your work. Furthermore, if your organisation is registered with the ICO, you will be interested to see what your registration fee is being used for. Here are some of the highlights from the report.[1]

Age Appropriate Design Code

One in five internet users are children and so one of the most important achievements of the ICO’s year concerned the protection of children’s data privacy online. After speaking to a range of stakeholders, commissioning research with children and their parents and after consultation, the ICO presented Parliament with an Age-Appropriate Design Code in June 2020. This code presents 15 flexible design standards, which online services should integrate into their practices in order to protect children’s data. Online services include apps, connected toys, social media, online games, educational websites and streaming services. The code requires online services to provide ‘a high level of protection by design and default’. Any organisations working with online products or services should be considering the implications of this.  The code can be viewed here.


The ICO has now ceased full membership with the European Data Protection Board. Since leaving the European Union, the ICO have been supporting Government planning for No-Deal scenarios and will continue to provide advice to the Government regarding continued regulatory cooperation between the UK and EU. Defining the ICO’s role in the EU Adequacy process will also be a high priority for 2020-2021.

Enforcement Actions

2019/20 saw the first issuing of penalty notices under the Data Protection Act 2018 for non-compliance, with two of the most significant cases being against British Airways and Marriot for major data breaches.  June 2019 also saw an agreement between Facebook and the ICO after a lengthy and part-ongoing investigation into misuse of personal data in political campaigns. Facebook agreed to pay a £500,000 fine under the Date Protection 1998 Act, but withheld admission of liability. 

The ICO also dealt with concerns regarding political campaigns during the 2019 European elections, through the launching of their #Bedataaware campaign. The campaign sought to highlight to the public how data analytics can be used by political campaigners to micro-target voters.

Other significant enforcement work by the ICO included an investigation into the law enforcement use of facial recognition technology in public places.

Financial Performance

As governed by the Data Protection Act 2018, the ICO’s data protection work continues to be financed by the annual fees paid by data controllers. The annual fee paid by organisations range from £40 to £2,900. These fees resulted in an income of £48.712m. The ICO achieved this figure by writing to companies registered with Companies House, who had not yet registered with the ICO. In light of the economic hardship caused by the Covid-19 pandemic, the ICO paused its work in contacting further companies not registered with the ICO. Organistions not yet registered will need to register with ICO and should expect to hear from them during 2020/21 if they have not done so already.

This article was first published on Forum Business Media’s GDPR online resource https://www.gdprorb.co.uk/content-partners

[1] Information Commissioner’s Annual Report and Financial Statements 2019-20’, https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf

© Naomi Korn Associates, 2020. Some Rights Reserved.

Disclaimer: The material in this blog post is for general information only and is not legal advice. Always consult a qualified lawyer about a specific legal problem.

Recent News

Back to News