The Unnecessary Burder
Case Studies
Regulatory Cases

The ICO: Regulator or Passive Observer?

Written by John Barwell
ICO · GDPR enforcement · Access to justice

The ICO describes itself as the UK’s independent authority for upholding information rights. Yet where it responds to non-compliance with advice, reprimands or complainant signposting rather than firm corrective action, the burden can shift from the regulator to the individual. That matters because data rights become weaker in practice when people are left to enforce them through slow, costly and uncertain legal routes.

Category
Regulatory accountability
Jurisdiction
United Kingdom
Reading time
c. 8 minutes
Last reviewed
2 June 2026
By-line
Legal Lens

Publication snapshot

  • The article considers the ICO’s use of formal corrective powers, including enforcement notices and other regulatory action.
  • The central concern is that regulatory restraint can shift enforcement pressure onto individual data subjects.
  • Public-sector reprimands may expose failures, but they do not necessarily compel timely remedy for affected individuals.
  • Court and tribunal routes exist, but they can be costly, slow and unrealistic for many data subjects.
  • The reform route is stronger administrative enforcement, clearer complaint outcomes and better public reporting on why formal action is or is not taken.
Reader note: this article is public-interest commentary on ICO enforcement, data-subject rights and access to justice. References to regulatory reluctance, court deflection, weak deterrence or public-sector restraint are made as analysis and criticism. They should not be read as findings that the ICO has acted unlawfully in any individual case unless established by a court, tribunal, ombudsman, parliamentary committee, audit body or other competent authority.

Why ICO enforcement matters

Data protection rights are only meaningful if they can be enforced. A person whose subject access request is ignored, whose sensitive data is mishandled, or whose records are processed unlawfully should not have to become a private litigant before the law starts to matter.

The ICO has an important regulatory role. It can investigate, advise, reprimand, require compliance and impose penalties where the statutory threshold is met. It must also act proportionately and allocate finite resources across a very large complaint caseload.

The concern is not that every complaint should result in a fine or formal order. The concern is that repeated reliance on softer outcomes can make data subjects feel that the burden has been moved back onto them, even where the regulator has identified a real compliance problem.

Core issue: if the regulator identifies non-compliance but does not secure practical correction, the individual may be left with a right in theory and a court problem in practice.

The ICO has more than advisory powers

The ICO’s enforcement toolkit is not limited to guidance and informal engagement. Under the UK GDPR and the Data Protection Act 2018 framework, the regulator has corrective powers that can require organisations to change their conduct.

In practical terms, this includes enforcement notices, reprimands, monetary penalty notices and prosecutions. The important distinction is not simply whether the ICO “takes action”, but whether that action creates a concrete consequence for the organisation and a meaningful remedy pathway for the individual affected.

A reprimand can be significant. It publicly records regulatory criticism and may identify failings that need to be addressed. But it is different from a binding enforcement notice requiring specified steps by a specified deadline.

Reprimand

A formal statement of regulatory criticism. It may expose non-compliance, but it may not compel a specific remedy for the complainant.

Enforcement notice

A stronger corrective tool requiring an organisation to take, or stop taking, specified action to comply with data protection law.

The public-sector reprimand problem

The draft concern is that, particularly in the public sector, the ICO has often preferred reprimands and advisory outcomes over harder corrective action. Between February and June 2024, the article’s working material identifies ten public-sector reprimands as examples of that approach.

Public bodies should not be treated as ordinary commercial wrongdoers. Fines against public authorities can recycle public money from one public function to another, and the ICO has previously signalled a more restrained approach to public-sector monetary penalties.

But restraint on fines is not the same as restraint on remedy. If a public body has failed to comply with information-rights obligations, the regulator can still be expected to explain what correction is required, how quickly it must happen, and how affected individuals will know whether the failure has been fixed.

Practical point: a reprimand may be appropriate in some public-sector cases, but it should not become a substitute for corrective action where individuals remain without an effective remedy.

The court-burden issue

Where the ICO does not secure compliance administratively, data subjects may be directed towards legal remedies. Those routes may include complaints about the ICO’s handling, tribunal routes in specific contexts, or court claims against controllers and processors.

Those routes are not simple. They can involve procedural complexity, issue fees, legal costs, time pressure, evidence gathering and the risk of adverse outcomes. For many individuals, the existence of a remedy on paper does not mean there is an accessible route in practice.

The draft refers to late-2024 criminal court backlogs in the Crown Court and magistrates’ courts. Those figures should not be treated as the direct route for data-protection enforcement claims. They do, however, illustrate a wider access-to-justice problem: the justice system is already under visible strain, and regulators should not shift avoidable enforcement burdens onto individuals where administrative resolution is available.

How enforcement burden shifts to the individual

  1. 1

    An individual complains that an organisation has failed to comply with data protection obligations.

  2. 2

    The regulator criticises, advises or closes the matter without securing a practical remedy.

  3. 3

    The individual is left to consider court or tribunal action.

  4. 4

    The right becomes dependent on resources, stamina and procedural confidence rather than regulatory protection.

Consequences for data subjects

For the individual, regulatory restraint has practical consequences. The first is prolonged uncertainty. A person may wait months for an organisation to respond, then months for complaint handling, only to be told that the next step lies elsewhere.

The second is financial pressure. Taking action to enforce data rights can require advice, drafting, evidence, fees and time away from work or caring responsibilities. Many people will not pursue a claim even where they have a legitimate grievance.

The third is deterrence by exhaustion. If organisations learn that the practical risk is often limited to correspondence, delay and a possible reprimand, some may treat non-compliance as manageable rather than urgent.

Rights on paper

The law gives individuals rights of access, rectification, erasure, restriction, objection and redress.

Rights in practice

Those rights depend on organisations responding and regulators making non-compliance costly enough to deter repeat failure.

Why public trust is at stake

Data protection law governs sensitive information: medical records, employment files, school records, social care information, policing data, financial details, location data and children’s information. Weak enforcement is not a technical concern. It affects people’s control over their lives.

If the ICO appears reluctant to require compliance in clear cases, public trust is damaged. Individuals may stop expecting meaningful protection. Organisations may discount the risk of non-compliance. The law’s deterrent effect is weakened.

The ICO’s credibility therefore depends not only on the number of complaints handled, but on whether people can see a clear link between breach, regulatory response and practical consequence.

Public-confidence point: a regulator can be proportionate without being passive. Proportionality should explain why action is tailored, not why correction is absent.

What reform should focus on

The answer is not to require hard enforcement in every case. That would be unrealistic and could create unfairness. The better approach is clearer triage, stronger corrective action where needed, and transparent reporting on why a complaint did or did not lead to formal action.

The ICO should be able to explain how it decides between advice, reprimand, enforcement notice, penalty and prosecution. It should also show how informal or softer outcomes secure compliance for the individual complainant and reduce repeat failure by the organisation.

Enforcement reforms

  1. Use enforcement notices more readily where organisations persistently ignore data-subject rights.
  2. Set clear deadlines for corrective action where non-compliance has been identified.
  3. Track repeat offenders and escalate where informal resolution fails.
  4. Publish stronger reasons when formal corrective action is declined.

Access-to-justice reforms

  1. Explain clearly when a complainant must go to court and what the practical route is.
  2. Reduce the need for individual litigation where administrative enforcement can resolve the issue.
  3. Publish complaint outcome categories that distinguish advice, closure, reprimand and corrective action.
  4. Report how many complainants obtain practical compliance after ICO involvement.

Selected references

ICO: Action we’ve taken, including enforcement notices, reprimands, monetary penalties and prosecutions.

ICO: Annual reports, including annual reporting on the regulator’s work and priorities.

GOV.UK: Criminal court statistics, the official collection for magistrates’ court and Crown Court caseload and timeliness statistics.

Legal framework: UK GDPR Article 58 and Data Protection Act 2018 sections 149, 150, 166 and 167.

Practical conclusion

The ICO does not need to fine every organisation or convert every complaint into a formal order. A serious regulator must be able to triage, advise, prioritise and act proportionately.

But proportionate regulation must still secure compliance. Where organisations breach data-protection obligations and individuals are left to pursue legal remedies on their own, the enforcement burden has shifted to the person least equipped to carry it.

Data rights are not meaningful if the regulator identifies problems but leaves practical enforcement to those with the money, time and resilience to litigate.

Closing point: if the ICO wants public confidence, it must show that information rights can be enforced administratively before ordinary people are pushed towards court.

Legal Lens supports litigants in person in civil, employment and tribunal proceedings in England & Wales. Contact Legal Lens.

This article is public-interest commentary and general legal-policy analysis. It is not legal advice, and reading it creates no professional relationship. ICO complaints, enforcement notices, reprimands, UK GDPR remedies, Data Protection Act 2018 claims, judicial-review routes, court applications and tribunal remedies are fact-sensitive and should be checked against current law, the ICO’s published materials and the evidence in the individual case.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar