When the General Data Protection Regulations came into force in 2018, a lot of hype was placed on the potential for high fines of £17.5m for failing to comply with data protection rules. The reality is that the Information Commissioner’s Office (ICO) has not considered fines as appropriate for all breaches of the rules. So the question arises, what other enforcement powers exist?

What is the role of the ICO?

The ICO is the UK regulator responsible for the control and regulation of information. They have different remits, but the key one considered in this guide is their role in relation to personal data and ensuring organisations protect it and comply with the Data Protection Act 2018 (DPA 2018) and the UK GDPR.

What are the Enforcement Powers?

The ICO has different enforcement powers under the DPA 2018. These include the ability to conduct investigations, the use of assessment notices, warnings, reprimands, enforcement notices and the issue of a penalty notice or fine. Where it is a serious breach, the ICO can issue a fine of up to £17.5 million or 4% of global turnover.

Where the ICO become aware of a concern, they will record and consider it. The concern may be joined with other similar issues raised about an organisation or considered on its own.

Investigations

As part of its investigatory powers, the ICO can issue an information notice requesting information needed to enable the ICO to carry out their functions. There is no general exemption for confidential material, but there are restrictions on correspondence where an organisation has sought legal advice on obligations under data protection rules. The ICO can also issue an assessment notice which essentially allows entry to premises, inspection of documentation and the ability to conduct interviews. This can be done by notice or as an unannounced inspection in urgent situations. The ability to enter and inspect is in addition to the option on organisations to have voluntary audits done by the ICO.

Enforcement notices

If the ICO is satisfied there has been a failure to comply with data protection rules, it can issue an enforcement notice which requires an organisation to take specified steps or stop doing certain things, or both. Common examples would be ordering an organisation to respond to a request for information, placing restrictions or a ban on processing certain information or setting out updates the organisation must take in a set period to become more compliant with the rules. In addition to this, the ICO can issue a warning that processing is or is likely to infringe the UK rules or can issue a reprimand. The ICO will publish details of any reprimands on its website, setting out the background to the issue, details of any reprimand and action that the ICO requires to be taken by the organisation.

Penalties

The fine power granted to the ICO is the ability to issue a penalty fine to organisations, although it will likely only be used in more serious cases or where the organisation shows little regard for the rules. The fine imposed will depend on the seriousness of the breach, whether the infringement was intentional or negligent, and the impact it has on individuals (together with any steps take to mitigate the damage by the organisation).

Criminal Offences

In addition to the ICO civil enforcement powers, there are certain criminal offences under the DPA 2018 which organisations should be aware of (like giving false information to the ICO under an information notice, destroying or falsifying documents, unlawfully obtaining personal data or altering/destroying personal data to avoid disclosure under a subject access request). If convicted of any of the offences, the individual could be liable to pay a fine which could be any amount as it is no longer set to any maximum.

What about mitigating circumstances?

The ICO have said despite having these enforcement powers, they are more interested in helping organisations to get data protection right. They will also consider all mitigating circumstances when using their enforcement powers. The most common approach for a one-off minor breach would be remedial action.

The ICO will also look at the following as mitigating circumstances:

• an organisation has made a genuine effort to comply with data protection rules;
• there is a negligible or low extent of harm to the individual;
• an organisation has appointed a data protection officer or other person responsible for ensuring data protection is considered internally (which may include taking legal advice externally);
• it is a first offence, and the organisation has engaged with the process, rather than hiding non-compliance; and
• there is a culture of good data handling, such as regular staff training and a “lessons learned” approach if anything does happen.

Who can they take action against?

Under data protection rules, the ICO can take action against controllers (being the organisation who makes the decision around the collection and use of personal data) and processors (being organisations who act on behalf of a controller in line with their instructions). The ICO can also take action against anyone who has misused personal data, so this may extend to individuals (including employees within an organisation) if they have unlawfully accessed and used personal data.

Why does it matter?

Organisations should clearly be taking compliance with data protection rules seriously, to build trust in their use of personal data and use such data lawfully. The best way to avoid any enforcement action from the ICO (or other regulator) is to be compliant with data protection rules, deal with issues when they arise and act promptly in responding to any enforcement notice. Having an effective data protection framework in place will also enhance customer confidence in the organisation and minimise harm to organisational reputation. Where enforcement action is taken, having evidence to show compliance with data protection rules should also reduce the likelihood of a substantial fine from the ICO.

How can we help?

The experienced team at MBM are able to help your business take steps to avoid enforcement with advice on a particular issue or with greater involvement to create a robust compliance framework. If your business has received in an enforcement notice, then it is important you deal with it quickly and we are also able to represent businesses during any investigations or other enforcement action by the ICO.

If you think your company could benefit from a compliance health check, or if you would like to discuss anything further, please contact Ruth Weir.