Data Privacy investigation reveals only 0.25pc of reported data breach cases fined under GDPR

Data requested by shows that of 11,468 data breach cases closed by the ICO since GDPR’s implementation, only 29 have resulted in financial penalties

An investigation by has revealed that only a minuscule percentage of data breach cases closed by the data protection regulator since the introduction of the General Data Protection Regulation (GDPR) have resulted in monetary penalties.

The data, which was obtained by under the Freedom of Information Act, shows that 11,468 self-reported data breach cases were closed by the Information Commissioner’s Office (ICO) between the implementation of the GDPR on 25 May 2018 and the end of March 2019. Public records displayed on the ICO website show that during this period a total of 29 monetary penalties were issued by the regulator – a penalty rate of just 0.25 per cent

The data also revealed that 37,798 data protection concerns have been raised by members of the public since 25 May 2018. This figure is nearly three times the number of actual data breach cases investigated by the ICO during this same period (12,854).

Julian Ranger, founder of, said: “There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.”’s analysis of the data revealed that the sectors with the most self-reported data breach cases include health, education, and finance. The sensitive nature of the data collected by these sectors will only heighten existing concerns about personal data usage.

Julian said: “Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”

An informed consent process, such as that available on the platform, allows users to privately share data with a third party (such as their bank).

Users must grant their explicit permission before the data is shared and no data is transferred from their device to the third party without full consent – all data operations can happen inside an app or within a temporary virtual personal cloud that terminates when done.

This process meets all regulatory requirements.