In data protection terms, the old Chinese curse means the ICO or an EU supervisory authority landing. And in 2024, that became a reality for thousands of organisations.
The ICO received nearly 35,000 complaints — and issued enforcement action across a wide range of sectors.
Most complaints don’t lead to fines, but we still saw significant penalties, including:
- £3M against Advanced Computer Software Group Ltd (for poor cyber hygiene — the ICO’s first major fine against a data processor)
- €530M against TikTok (for unlawful data transfers and handling of children’s data)
- €290M against Uber (for transferring driver data to the US without proper safeguards)
- £140K against HelloFresh (for millions of marketing messages without valid consent)
So, drawing on these regulatory actions, what are the key compliance lessons we can take into 2025?
Key compliance actions for businesses
Here are our top 10 takeaways — with a practical focus on managing regulatory risk:
1 – Maintain robust cybersecurity
Cyber-attacks don’t just target the under-prepared — big brands like M&S, Harrods and Co-op have all been hit. Regulators expect you to have MFA, up-to-date patching, and vulnerability scanning in place — even if you outsource IT. As the Advanced Computer Software case showed, processors are now directly accountable under UK GDPR.
2 – Respond to data breaches
The law requires breach notifications within 72 hours of becoming aware — not after your forensics team finishes. A personal data breach is not just a hacking attack. The most common data breaches are misdirected emails, and lost devices with unencrypted data. But not all breaches are notifiable. You only need to notify the ICO if the breach is likely to result in a risk to individuals’ rights and freedoms (e.g. identity theft, financial loss, or reputational harm). If the risk is high, you must also inform the affected individuals without undue delay. Have a clear incident response plan in place so you don’t have to make it up as you go along against a ticking clock. And remember to record all breaches in an internal log, even if notifiable.
3 – Handle DSARs properly
Over 40% of UK complaints were about subject access. Many organisations fail to identify informal DSARs that don’t mention “GDPR” — but still count. Train staff and use an internal DSAR policy to ensure timely and compliant responses.
4 – Take care when relying on consent or legitimate interests for marketing
Electronic marketing (emails, texts, calls) is governed by PECR, not just UK GDPR. Under PECR, for unsolicited marketing to individuals (B2C), consent is generally required. That means freely given, specific, informed, and unambiguous consent — no pre-ticked boxes or bundled terms. The only exemption is the “soft opt-in”, which may apply if: (i) you obtained the contact details in the course of a sale or negotiation for a sale of a product or service, (ii) you’re marketing similar products/services, and (iii) you gave the individual a chance to opt out at the point of collection and in every subsequent message. If those conditions aren’t met, consent is required.
Legitimate interests (LI) under UK GDPR may be relevant for the lawful basis for processing, but it cannot override PECR’s consent requirement where PECR applies.
For corporate subscribers (e.g. generic work addresses like info@company.com), PECR does not require consent for marketing emails. However, the use of personal data still needs a valid lawful basis under UK GDPR — typically legitimate interests — which must be balanced against the individual’s rights. And even where consent isn’t required, recipients must always be given the right to opt out.
Regulators are cracking down on vague opt-ins, missing unsubscribe links, and bought-in lists where consent is not valid or transferable. If you’re relying on consent, keep records of who, what, when, and how it was obtained — and make it easy to withdraw.
5 – Respect data minimisation and retention
Only collect what you need, for a defined purpose. Holding on to unnecessary personal data increases risk and undermines compliance with rights like erasure. Regular audits, data mapping, and retention schedules are your best tools here.
6 – Use appropriate safeguards for international transfers
The Uber and TikTok fines show regulators are serious about cross-border data flows. If you’re exporting data outside the UK or EU, ensure your transfer mechanisms — like SCCs or IDTA — are legally and operationally sound. And document your transfer risk assessments.
7 – Embed accountability
Having a privacy policy isn’t enough. You need to show how compliance is lived across the organisation: through training, audits, DPIAs, and breach drills. A culture of accountability can stop small errors becoming regulatory events.
8- Apply extra care to children’s and special category data
Sensitive data (e.g. health, biometrics, religion) and children’s data require additional safeguards and stricter legal bases. Recent EU fines show that this is a growing focus; if you handle this type of data, your controls must reflect the higher risk.
9 – Stay ahead of emerging risks
Expect growing regulatory scrutiny of AI systems, processor accountability, and children’s services. The ICO’s guidance on AI emphasises fairness, transparency, and explainability — and the EU AI Act is coming.
10 – Engage proactively with the ICO (or any regulator)
The ICO prefers early resolution. If you’re cooperative, responsive, and quick to remediate, you’re in a far stronger position. Don’t go silent or adversarial unless you have a strategy.
Final comment
If you do come to the attention of the authorities — that “curse” may not need to end badly. With clear policies, strong processes, and a proactive mindset, you can stay ahead of regulatory risk.
If you have questions about compliance or if you require risk management advice and support, please contact our data protection and privacy team.
