Following the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) coming into force on 25 May 2018, the Information Commissioner’s Office (ICO) (the UK’s data regulator) has refreshed its Regulatory Action Policy (the Policy) (a copy of which can be found here).

The content of the Policy is of key importance as it sets out how, and in what circumstances, the ICO will pursue its enhanced powers of criminal and civil regulatory enforcement action against organisations in breach of information rights. Given the ICO's extended powers following commencement of both the GDPR and UK Data Protection Act 2018 in May 2018, such guidance is welcome.

The Policy is subject to Parliamentary consultation and is unlikely to be approved before Spring 2019, the Policy is publicly available on the ICO’s website. We do not anticipate it to change materially before being produced in final form.

In this alert, we have provided a summary of the Policy, with a focus on the key points to note and the ICO's cross-jurisdictional approach. We have also compared the ICO's approach to enforcement with that of the Financial Conduct Authority (FCA) as, there are several similarities between the two.

1. How and when the ICO will take action and similarities to the approach taken by other regulators

The Policy provides guidance on how and when the ICO will take action for a breach of information rights. The ICO will adopt a selective approach to the action it shall take.

When assessing if and how to respond, the ICO will consider certain criteria including (but not limited to):

  • The nature and seriousness of the breach
  • The categories of personal data affected
  • The number of individuals affected
  • The gravity and duration of the breach
  • Whether there is the possibility of similar issues arising again if not addressed, and
  • Whether another regulatory has taken enforcement action against the firm in respect of the same matter

The ICO will also consider any aggravating or mitigating factors where relevant.

Aggravating factors might include:

  • An intentional, wilful or negligent approach to compliance
  • Whether relevant advice, warnings, consultation feedback, conditions or guidance from the ICO and/or the Data Protection Officer has not been followed
  • Prior regulatory history; the vulnerability of customers, or
  • Any financial benefits gained or losses avoided by the firm in breach

Mitigating factors might include:

  • Any action taken by a relevant individual or organisation to mitigate or minimise any damage suffered, or
  • Early notification by the relevant individual or organisation to the ICO of the breach or issue

The policy provides a clear indication of the benefits of both transparency in all interactions with the regulator, as well as ensuring that the seriousness and importance of regulatory action is appreciated, with an appropriate audit trail documented to allow compliance to be evidenced.

We consider that the ICO's approach resonates with that taken by the FCA to enforcement and, the FCA's 'penalty-setting regime'. In March 2010, with the objective of increasing transparency, the FCA introduced a five-step framework for setting financial penalties. The Policy also includes takes a five step approach to penalty setting, the elements of which are identical or very similar to those in the FCA's framework.

At 'Step 2' of both regimes a figure is determined which reflects the seriousness of the breach including the degree of actual or risk of harm, whether the breach was deliberate or reckless and systemic failures At 'Step 3' the penalty may increase or decrease if there is evidence of factors which aggravate or mitigate the breach. The factors considered by the FCA include:

  • The conduct of the firm in bringing (or failing to bring) quickly, effectively and completely the breach to the FCA's attention
  • The degree of cooperation the firm showed during the investigation of the breach
  • Any remedial steps taken since the breach was identified such as any redress exercises
  • Whether the firm had previously been told about the FCA's concerns in relation to the issue, and
  • The previous disciplinary record and general compliance history of the firm

It is clear that the ICO has adopted a very similar approach to the FCA in assessing the nature and severity of any breach.

2. ICO New Powers - Information and Assessment Notices

It is clear that the ICO has adopted a very similar approach to the FCA in assessing the nature and severity of any breach.

  • Information Notices - This is described as a formal request for a data controller, data processor or individual to provide the ICO with information, within a specified time frame, to assist the ICO with their investigations. In some circumstances it may be a criminal offence to provide a response which is false in any material respect. The ICO was previously limited to serving information notices on data controllers, however, this power has been expanded to include data processors and individuals. Information Notices appear to embody similar qualities to the FCA's "Information Requirements" which is can send to firm's subject to enforcement pursuant to its statutory powers under the Financial Services and Markets Act.
  • Assessment Notices - this is described in the Policy as a notice which is issued by the ICO to a data controller or data processor to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may, for example, require the controller.
  • Enforcement Notices - the purpose of an enforcement notice is to begin action (or halt action) to bring about compliance with information rights and/or remedy a breach.

3. Cross border approach

The Policy also provides guidance in relation to those who operate on a cross-border approach and subsequently has international data flows within their business. The ICO confirms in the Policy that it will take action in support of their 'International Strategy' and in line with their 'cooperation and consistency mechanism obligations' under the GDPR.

This means that in cases involving cross-border information flows the ICO will liaise internationally with other supervisory authorities to identify the most appropriate regulatory response. This will include identifying any lead authority or other concerned supervisory authorities under the GDPR (usually where the controller’s ‘main establishment’ is based), as well sharing information to assist investigations, provide mutual aid and secure appropriate regulatory outcomes.

On this basis, data controllers with international operations should establish an internal reporting mechanism to ensure that all necessary breach notifications are made, preferably simultaneously.

4. Next Steps

Part 5 Article 139 of the Data Protection Act 2018 sets out the duty of the ICO to lay reports relating to the carrying out of its functions before parliament. Consequently, the draft Policy is currently subject to Parliamentary consultation and is unlikely to be approved before Spring 2019.

Following approval, the Policy will be published on the ICO website and will remain under regular review and at least at the end of the 2021 (the end of the ICO's Information Rights Strategic Plan 2017 - 2021).

The ICO has said that it will update the Policy to reflect any amendments to legislation, including any implementation of an updated e-Privacy Regulation, likely to occur towards the end of 2019 / start of 2020, and once the final settlement between the EU and the UK post-Brexit is confirmed.