ICO enforcement in financial services: trends and priorities
The Information Commissioner's Office (ICO) is the UK's independent data protection supervisory authority, responsible for enforcing the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). While the ICO's largest penalties have typically been issued to technology companies and healthcare providers, the financial services sector is a significant and growing enforcement focus, reflecting both the volume and sensitivity of personal data processed by financial firms and the increasing incidence of data breaches arising from cybersecurity incidents and third-party failures.
The ICO's monetary penalty framework — under which penalties of up to £17.5 million or 4% of global annual turnover can be imposed — has been used in the financial sector in connection with failures in data security, inadequate breach notification, and unlawful direct marketing. The ICO's enforcement decisions in the sector have focused on three main areas: large-scale data breaches where inadequate technical and organisational measures contributed to the breach; PECR violations involving electronic marketing without valid consent or a legitimate interest basis; and failures to respond to data subject access requests within the required timescale. The ICO's 2024/25 enforcement priorities include AI governance, children's data protection, and data broker practices — all of which have significant financial services implications.
Data breach notification under UK GDPR Article 33 requires firms to notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. In practice, many financial firms are dealing simultaneously with the ICO's breach notification requirement and the FCA's SUP 15 notification requirement when a cyber incident occurs. The two notifications are distinct in content and audience — the ICO focuses on the personal data aspects, the FCA on the operational and market impact — but they must be coordinated carefully to ensure consistency. Inconsistent accounts to the two regulators are a significant risk, and firms should have a designated coordination point for dual-regulator notifications.
AI governance is an emerging ICO enforcement focus that is highly relevant to financial services. The ICO's guidance on AI and data protection, published in 2023 and updated in 2024, sets out requirements for transparency, fairness, and accountability in AI-assisted processing of personal data. Financial firms using AI for credit decisioning, fraud detection, or customer segmentation must comply with these requirements, including: providing meaningful information to individuals about automated decision-making that significantly affects them; ensuring that automated decisions can be reviewed by a human at the individual's request; and conducting DPIAs for high-risk AI processing. The ICO has indicated that it will take enforcement action where AI systems breach UK GDPR, and has identified the financial sector as a priority area.
Cooperation with the ICO
As with the FCA, cooperation with the ICO in the event of a breach or investigation is a significant factor in outcome. Firms that self-report breaches promptly, provide complete information, demonstrate genuine remediation, and cooperate with the ICO's investigation typically receive more favourable treatment than those where the ICO discovers breaches through complaints or third parties. Firms should ensure that their data protection officer (DPO) — or equivalent — has direct access to senior management and to the FCA liaison function, and that internal escalation processes do not create delays in the breach notification timeline.