Today the ICO published its 2019-20 annual report, which covers the 12 month period up to 31 March 2020.  

The report notes that during 2019/20 the ICO took regulatory action on 236 occasions. In particular, the ICO issued 54 Information Notices, 8 assessment notices, 7 Enforcement Notices, 4 cautions, 8 prosecutions and 15 fines. The ICO also conducted 2,100 investigations during the year.  

Whilst the report reflects on what has happened over the past year, importantly it also includes key priorities and activities the ICO has planned for the year ahead, which include: 

  • AI Auditing Framework Guidance: The ICO published its draft AI auditing framework guidance for consultation earlier this year (you can read our summary here), and noted in its annual report it intends to publish the final guidance during summer 2020;
  • Age Appropriate Design Code: The final version of the ICO's Age Appropriate Design Code was published earlier this year and has been laid before Parliament (you can read our summary here). The ICO intends to engage with stakeholders to explain the requirements of the Code and seek views on additional support required, which will inform its work during 2020/21 to develop "practical support before the Code comes into effect". The ICO also noted it will be developing its "approach to regulatory supervision of those covered by the Code."
  • Privacy Enhancing Technologies ("PETs"): the ICO will engage with stakeholders on this issue during 2020/21, with the intention of ultimately producing new and updated guidance on PETs; 
  • Brexit: The ICO noted a key area of its focus over the next year will be developing new mechanisms and approaches for its relationship with the EDPB, the EU Commission and individual data protection authorities in the EU. The ICO will also continue providing advice to the UK Government on new approaches to continued regulatory cooperation between the UK and EU and to define the ICO's role in the EU Adequacy process; 
  • AdTech and Real Time Bidding ("RTB"): A key focus for the ICO has been data protection compliance in relation to AdTech and RTB  (you can read our previous summary here). In its annual report, the ICO has noted that its AdTech work is not complete, and significant additional effort is required in its view to address issues in the RTB ecosystem, which will be a focus for the ICO during 2020/21. In line with the ICO's regulatory approach during COVID-19 (you can read more about this here), the ICO has decided to pause its investigation into RTB and AdTech. However, the ICO aims to restart its work in 2020/21 when "the time is right"';
  • Accountability Framework: Following its consultation on an accountability toolkit in December 2019, the ICO intends to launch its Accountability Framework in 2020/21, which will set out its expectations on practical steps needed to demonstrate compliance with data protection legislation; and 
  • Data Protection Fee: The ICO has been actively pursuing payment of the Data Protection Fee by organisations. At the end of 2019/20 the ICO wrote to approximately 1 million companies that are registered with Companies House but had not registered with the ICO to pay the data protection fee, which resulted in a 24% increase in fees collected compared to the previous year. The ICO has paused this proactive measure following the outbreak of COVID-19, but expects to resume this again during 2020/21.