The Information Commissioner's Office (ICO) in the UK and its counterparts across the EU handle tens of thousands of data protection complaints every year. Most result in informal resolution — the regulator contacts the business, the business fixes the issue, and the matter is closed. But enforcement notices, fines, and public reprimands do happen, and the patterns from published enforcement actions reveal what regulators actually care about. Understanding these priorities helps you direct your compliance efforts where they matter most.
The ICO's published enforcement priorities
The ICO publishes enforcement decisions and its strategic priorities. Based on these publications, the areas where regulators focus most attention on small businesses are:
- Direct marketing without valid consent. This is consistently the highest-volume complaint category. Sending marketing emails to people who have not consented — including purchasing contact lists, continuing to email unsubscribed contacts, or relying on invalid consent mechanisms — triggers the majority of individual complaints.
- Failure to respond to DSARs. Ignoring or inadequately responding to data subject access requests is a direct, demonstrable breach that individuals can report with specific evidence (timestamps, email trails). It is one of the most actionable complaints for regulators.
- Inadequate privacy notices. Vague, incomplete, or outdated privacy policies are cited in the majority of ICO investigation reports as a contributing factor, even when the primary complaint is about something else.
- Data security failures. For small businesses, this typically involves accidental data exposure — sending emails with CC instead of BCC, inadequate password policies, or using unencrypted storage for sensitive data.
What makes a business a low-risk target
Regulators work reactively: they investigate in response to complaints, not by proactively auditing every business. A business that receives no complaints is unlikely to face investigation regardless of its actual compliance state. This does not mean compliance is optional — it means that getting the customer-facing elements right reduces complaint risk dramatically.
The highest-risk behaviours are those that generate individual complaints: sending marketing emails without clear consent records, ignoring DSAR requests, or making it difficult for users to exercise their rights. Businesses that make it easy for people to opt out, easy to request their data, and easy to understand what their data is used for generate fewer complaints — and therefore attract less regulatory attention.
How to document your compliance
Article 5(2) of GDPR — the accountability principle — requires you not just to comply with the regulation but to be able to demonstrate that you comply. In practice, this means keeping records. Your compliance documentation should include:
- A Record of Processing Activities (ROPA) listing your processing activities, lawful bases, and retention periods
- Records of consent — when consent was obtained, through what mechanism, and what the user consented to
- DSAR logs — date received, date responded, what was provided
- DPAs with your processors — kept on file even if never needed
- Evidence of privacy policy update history — showing what changed and when
If a regulator does contact you, these records demonstrate that you take compliance seriously and have processes in place. Businesses that can produce documentation typically face lighter scrutiny than those who cannot — even if the underlying practices are similar.