Figures obtained under a Freedom of Information Act request show that Britain’s data protection watchdog has imposed just 29 financial penalties out of a total of 11,468 self-reported data breach cases since Europe’s toughened privacy rules came into force last May.

Furthermore, all of the financial penalties were made under the United Kingdom’s previous legislation, the Data Protection Act, rather than under the European Union’s General Data Protection Regulation (GDPR).

The Information Commissioner’s Office (ICO) is yet to issue a fine under GDPR, although the regulator has said that the first fines “are due to be issued soon once the necessary legal processes have been completed.”

Data privacy specialist also found that 37,798 data protection complaints have been raised by members of the public since GDPR went into force on May 25, 2018 (numbers are through the end of March). This figure is nearly three times the number of actual data breach cases investigated by the ICO during this same period (12,854).

Julian Ranger, founder of, believes that “there is a clear problem with individuals and businesses over-reporting to the ICO” and that “businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data.”

“This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation,” adds Ranger.’s analysis of the data revealed that the sectors with the most self-reported data breach cases include health, education, and finance.

“We are a proportionate and pragmatic regulator, our work is not just about fines—we prefer education to enforcement but will take our strongest action against those that wilfully, negligently or consistently flout the law,” an ICO spokesman said.