It was proof that data protection regulators have their work cut out when July saw the launch of the ICO's first International Strategy, designed to help it meet overseas challenges including increased globalisation, changing technology, GDPR and Brexit.
The strategy set out four key initiatives, which focus on being an “influential data protection authority” in Europe both before and after Brexit and ensuring that the UK’s data protection laws are maintained at a high global standard.
However, when it came to GDPR guidance, the regulator faced growing criticism over its lack of action, with a number of brands, including Flybe and Morrisons, caught out by repermissioning campaigns.
Price comparison website Moneysupermarket.com was also found to have broken the rules, triggering an £80,000 fine for contacting millions of customers who had opted out of marketing.
The lack of guidance forced the Data Protection Network to take matters into its own hands by joining forces with the DMA, ISBA and other data protection experts to publish its version of how businesses can use "legitimate interests" to access personal data under GDPR.
Meanwhile, the ever-efficient Germans claimed to be well ahead of the curve, by being the first EU country to finalise its national legislation to bring it in line with GDPR. The Federal Data Protection Act (FDPA) clarified the circumstances in which businesses will be obliged to appoint a data protection officer (DPO), as well as conditions for processing employee data. In addition, the FDPA addressed rules on the processing of personal data for research and statistical purposes, and the rights of citizens.
Whether this sparked the UK Government into action is not known, but within weeks of the German move the Department of Digital, Culture, Media & Sport (DCMS) confirmed that it intended to introduce draft legislation for the UK Data Protection Bill as soon the summer recess was over.
For her part, Information Commissioner Elizabeth Denham used the summer to launch a series of blog posts to tackle GDPR "fake news", pledging to clear up the misinformation about how businesses will be affected by the new data protection legislation.
Designed to separate fact from the fiction, the Commissioner tackled the thorny issue of potential fines under GDPR, and pledged to publish future "myth-busting" blogs on consent, guidance, the burden on business and breach reporting.
Elsewhere, the Government was urged to redouble its efforts to encourage students to study STEM (science, technology, engineering and maths) subjects - qualifications which are seen as vital to tackle to looming tech and data skills shortage - following claims that, despite an increase in this year's A-levels, it is only scratching the surface.
A total of 41% of total A-level entries were in STEM subjects (up slightly from 39% in 2015 and 40% in 2016). But for girls, the figure remained static at 35%, while 46% of entries for boys were in STEM.
September brought one of the biggest - and most controversial - stories of the year when Equifax admitted that hackers had exposed the personal data of 143 million customers in the US and an unspecified number in both the UK and Canada.
While data breaches are common these days, it was the way Equifax handled the issue which drew the biggest criticism, with both the US and UK Governments demanding answers over why the firm took so long to notify customers.
Having initially claimed that "just" 400,000 UK records had been breached and that financial fraud was "highly unlikely", the firm was eventually forced to admit that the breach had exposed 15.2 million UK records and 700,000 Britons. This is on top of the 143 million US citizens who were affected.
Whether Equifax will ever recover from the damage the breach caused is another matter. Investigations on both sides of the Atlantic are continuing.
Away from the Equifax furore, the Data Protection Network backed calls for the ICO to receive a boost in funding, arguing that the regulator's inability to recruit and retain senior staff was hampering all businesses efforts to be compliant with GDPR.
The move followed Elizabeth Denham's claims that ICO is facing a major challenge due to increased competition from both the public and private sector, as organisations staff up in preparation for GDPR.
One area where the UK regulator has been ploughing resources is in its battle against so-called nuisance calls, yet October saw fresh claims that its clampdown is in danger of becoming toothless after yet another company - Liverpool-based The Lead Experts - was hit with a fine only to shut up shop to avoid paying it.
According to a 2016 Which? report, only four of the 22 fines which had been issued by the ICO since 2015’s reforms had actually been paid, but this does not include this year's cases. The Government has yet to announce whether it will resurrect plans to make company directors personally liable for fines, dropped in the run up to June’s general election.
Away from the rogues, data's role in improving lives came to the fore when the Open Data Institute joined a new initiative - launched by global research-based biopharmaceutical company AbbVie - designed to tackle a major psychological barrier which prevents people from seeking medical advice when they have worrying symptoms.
The Live:Lab project aims is to create a positive new approach to help the public and NHS to overcome the condition, known as "Fear of Finding Out", which stops people coming forward for early diagnosis and treatment.
October also saw confirmation that data scientists are now some of the best paid professionals in the technology industry, fuelled by organisations' quest for artificial intelligence and machine learning expertise, combined with a dearth of candidates with suitable skills.
According a survey from salary benchmarking website Emolument, the demand for data scientists has been driven by large accountancy and financial services firms.
Further evidence emerged of data's role as a force for good with the publication of research by The Institute of Cancer Research which it is hoped will enable health professionals to personalise radiotherapy treatment for prostate cancer by predicting men’s risk of side effects.
For the first time, researchers applied big data analytics to information - including medical history, genetics, radiotherapy dose, and reported side effects - from more than 700 men given radiotherapy to treat their prostate cancer. They believe this data can be used to create personalised treatment plans for prostate cancer patients.
One company which might need medical assistance is Uber, which is facing investigations on both sides of the Atlantic after admitting that it paid hackers a $100,000 (£75,000) ransom back in October last year to delete data they had stolen on about 57 million customers and 7 million drivers. The ICO said the fact that Uber concealed the data breach "raises huge concerns around its data protection policies and ethics".
Meanwhile, in a wake-up call for other brands, it was predicted that millions of UK consumers could submit subject access requests (SARs) to find out what personal information businesses hold on them after the GDPR goes live in May next year, with financial services, social media sites and mobile network providers in the firing line.
While the findings of the study by Exonar showed that the majority (70%) of people have no idea about the changes, once GDPR and the term SAR was explained to them, 57% said they would raise a SAR.
The dire consequences of shoddy data governance raised its head once more, when Morrisons was ordered to pay compensation to over 5,000 staff - past and present - over the 2014 data breach caused by a disgruntled employee.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the 5,518 claimants, hailed it as a landmark victory. He said: "We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK. Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure."
A separate court case saw a director and senior employee of a Kent-based firm of loss adjusters, Woodgate & Clark, and two private investigators found guilty of unlawfully disclosing personal data illegally obtained.
The first case brought by the ICO under the so-called "blue-chip data theft" investigation was triggered back in 2013 when the Serious Organised Crime Agency handed the regulator a dossier of corporate clients of criminal private investigators, accused of the illegal trade in confidential personal information.
But to end the year on a high, there was at last some good news for firms concerned about the future of data-driven marketing, whether through the looming GDPR, the regulators or the courts.
While the research from Accenture claimed that poor personalisation and lack of trust prompted nearly two-fifths (38%) of UK consumers to defect to a different company over the past 12 months, the rise of artificial intelligence, machine learning and digital assistants could prove a boon.
Accenture Strategy managing director and advanced customer strategy lead for the EALA region Rachel Barton explained: “As technologies such as become more sophisticated and mainstream, companies are creating new touchpoints, offerings and services that intelligently anticipate and flex to their customer’s precise needs, offering a level of hyper-relevance not experienced before.
"Those that succeed will hit a ‘sweet spot’, whereby UK customers will be willing to share more personal insights into their world in return for greater value and the confidence that their data is protected."
Way back in January Gartner predicted as much and, it seems, it may well be on to something...
Missed the big stories in the first half of 2017? Catch up with them here.