The UK Information Commissioner’s Annual Report 2024/25 shows a concerning lack of enforcement for those who breach data protection laws

The Information Commissioner’s Office (ICO) released its Annual Report for 2024/25 last week, which has shown a disappointing and concerning downward trend in the enforcement of data protection laws and the action taken against those who break them.

Professor David Erdos, Professor of Law at the University of Cambridge, posted an article titled ‘Surveying a systemic trend away from adequate enforcement’ outlining his findings after reviewing the ICO Annual Report 2024/25. He stated it “sadly provides evidence of a severe and serious weakening of information rights regulation compared to the strong enforcement which is (and remains) promised especially under the (UK) General Data Protection Regulation (GDPR).”

In this article, we’ll outline some of his key findings and key concerns that this has highlighted regarding the protection of people’s personal data. We’ll also explain what action you can take if your data has been breached and how you can claim compensation against organisations that do not uphold data protection laws.

Findings from the UK Information Commissioner’s Annual Report 2024/2025

Concerningly, the Report made no reference to any UK GDPR enforcement notices, as none were issued during 2024/25, which is a decrease from the previous year’s enforcements, which were themselves in the single digits. According to the Report, there were only two GDPR fines during the year, a stark comparison to the over 200 in both Germany and Spain, which seem to take their data protection enforcement much more seriously. There was also a 70% reduction in the number of reprimands, falling from 31 to just 9. All of these point to a concerning lack of enforcement, despite this being promised under UK GDPR. This gives the impression that companies that are not upholding GDPR and data protection laws are not being properly reprimanded, despite their lack of regard for people’s personal data.

Over the last year, there have been reports of many egregious data breaches, no more so than the recent reporting of the Ministry of Defence (MoD) data breach. This catastrophic MoD breach exposed the personal details of thousands of Afghan nationals who worked with British forces, putting their lives and the lives of their families and dependents at risk, and potentially even causing death.

Despite several high-profile breaches during the year, the Report has revealed the number of data breaches that even resulted in a GDPR investigation, never mind enforcement action, dropped from just 6% to 3%. This shows that the ICO isn’t using its regulatory powers and fining properly to incentivise organisations to comply with GDPR rules.

Despite the Information Commissioner stating in December 2023 that it was “necessary to apply the full sanctions of the law” where GDPR breaches “are so egregious that they put people’s lives at risk”, the ICO have made it clear they have no plans to issue a fine, enforcement notice or take any other formal regulatory action in response to the MoD data breach that has put around 100,000 individuals at risk of harm from the Taliban and forced the UK government to pay for the relocation of 7000 Afghan nationals.

The number of data protection complaints that received no response within the 90-day timeframe increased by 360% last year, from 15.2% to 70%. This shows the ICO has not prioritised the handling of data protection complaints in the past year. Added to this, the fact that the number of complaints remaining open also increased by over 70% from 9168 to 15,810, despite the fact that cases only increased by 6.5%.

Recital 148 of the UK GDPR explicitly states, “in addition to or instead of appropriate measures…” “fines should be imposed for any infringement”. The ICO, as the UK’s data protection authority, is in charge of imposing fines on companies that break data protection rules and ensuring the enforcement of GDPR rules. This underscores the GDPR’s promise of “strong enforcement”. However, based on the results of its latest Report, it’s falling short of this duty.

The Report has revealed that there were only 43 UK GDPR investigations in 2024/25 compared to 285 in 2023/24, not a single UK GDPR enforcement notice was issued, and the number of reprimand outcomes declined from 31 to just 9. Only 2 fines were issued, totalling £3.8M, compared to 3 totalling £13M the year prior.

In 2024/25, the ICO reportedly received 12,412 personal data breach reports – but only 3% led to an investigation. 85% of breaches reported didn’t result in formal action or a fine and instead were said to be resolved through ‘informal action’.

This brings little comfort to those whose data has been breached, and it is concerning to learn the ICO isn’t utilising its full regulatory powers to prevent further data breaches from occurring and punish those who don’t follow data protection laws. This may give organisations that handle people’s data the impression that if they do suffer a breach, they may not receive any formal action and simply get away with a ‘slap on the wrist’, so to speak. Therefore, prioritising data protection of people’s personal data may not be seen as important as it should be, which leads to mistakes and makes way for cyberattacks and breaches to occur.

Professor Erdos maintains that these issues have been primarily driven by “a deeply rooted ICO internal culture which has been fuelled by a lack of effective accountability mechanisms for data subjects and by an Information Commissioner who has publicly set his face against full use of the UK GDPR’s powers”.

He concludes that: “Whilst also taking into the account the positive guidance and publicity which has been forthcoming from the UK ICO over recent years, it is imperative that the UK Parliament, European Commission, European Data Protection Board, European Data Protection Supervisor, and European Parliament all ask some tough questions about the practical reality of regulatory enforcement in the UK during the upcoming review, including what can be done to reverse some very worrying trends.”

Data protection legislation protects your right to privacy

UK GDPR and the Data Protection Act 2018 are important pieces of legislation that ensure your rights as an individual when it comes to your data. Any organisation that collects and stores your personal data has a legal responsibility to keep the data safe, stored correctly, updated accordingly and ensure it is protected from potential threats like cyberattacks. It is upsetting to hear that the ICO, which is in charge of upholding these laws and enforcing sanctions on those who do not follow them, is falling short of this responsibility and not holding those companies to account for their lack of regard towards people’s personal information.

Data breaches can be extremely distressing for an individual, particularly if the data exposed is very private or personal, or if they are a vulnerable individual. While you can report a breach to the ICO and submit a complaint, as you can see above, the response times are long and often result in little action taken. However, there are other steps you can take to seek redress. This includes making a civil claim for compensation.

HNK Solicitors can help with your data breach claim

A civil claim against a company or organisation for a breach of your personal data can result in you gaining compensation for the actual breach and the ordeal you have suffered as a result. Data breaches, depending on the data exposed, can result in a number of negative outcomes, including financial losses, identity theft, fraud, reputational damage and distress. Claiming compensation can help you recover any losses you’ve suffered as well as compensate you for any stress or upset caused.

HNK Solicitors has a team of expert data protection solicitors who can help you to make a successful claim. We know this can be a distressing experience, and we’re here to support you every step of the way, from gathering evidence to handling communications on your behalf. We’ll also ensure you get every penny you’re entitled to. Our team has a successful track record of helping our clients obtain compensation after their data has been breached.

If your data has been breached, get in touch with our team today to arrange a free consultation. If we feel you have a strong case, we can take on your claim on a no-win, no-fee basis, so you don’t have to pay a penny upfront to start your claim. Call us on 0151 668 0809 or email us at enquiries@hnksolicitors.com. Alternatively, fill in our online claim form, and a member of our team will be in touch to learn more about your case.