The Information Commissioner’s Office (ICO) has begun consultation on a new Regulatory Action Policy (“the Policy”). This new policy is intended to provide “direction and focus” for those the ICO regulates, the public and its staff - and therefore demands careful consideration by anyone concerned about regulatory action within this new GDPR era. Critically, the Policy reiterates the ICO’s commitment to a balanced approach to regulation by creating an environment in which data subjects are protected whilst business is able to operate and innovate efficiently:
"We will be as robust as we need to be in upholding the law, whilst ensuring that commercial enterprise is not constrained by red tape, or concerns that sanctions will be used disproportionately.”
The Policy sets out the ICO’s regulatory priorities in the coming year and its objectives in regulatory action. This Policy also fulfils the ICO’s statutory obligation to provide guidance concerning its use of compulsory powers in serving Assessment Notices, Enforcement Notices and Penalty Notices. The Policy is intended to cover all 11 pieces of information legislation for which the ICO is responsible.
Regulatory priorities for 2018-2019
Any organisation which operates in the following areas of ICO regulatory priority should remain mindful of their regulatory and legal obligations, particularly with respect to data protection legislation:
Large scale data and cyber security breaches involving financial or sensitive information;
AI, big data and automated decision making;
Web and cross device tracking for marketing (including for political purposes);
Privacy impacts for children (including Internet of Things connected toys and social media / marketing apps aimed at children);
Facial recognition technology applications;
Credit reference agencies and data broking;
Use and sharing of law enforcement data, including intelligence systems; and
Right to be forgotten/erasure applications.
Objectives of regulatory action
The Policy sets out five new objectives to guide the ICO’s regulatory action. These underline its existing commitment to proportionate, consistent and targeted action, whilst not imposing undue regulatory burden upon organisations. They also make plain the ICO’s intention to respond to risk as it emerges in this rapidly developing digital age.
To respond swiftly and effectively to breaches of legislation which fall within the ICO’s remit;
To be effective, proportionate, dissuasive and consistent in their application of sanctions;
To support compliance with the law and promote good practice;
To be proactive in identifying and mitigating new or emerging risks arising from technological and societal change; and
To work with other regulators and interested parties constructively, at home and abroad with a view to reducing the regulatory burden on organisations.
With respect to the last objective, there is a recognised need to ensure that the ICO’s wide mandate does not create unnecessary regulatory overlap. The Policy recognises the ICO’s active role in cross-border work, sharing of intelligence and experience with other data protection authorities, and co-ordinating with such authorities on investigations.
Selecting appropriate regulatory action
The ICO has an even wider range of regulatory action available to it following the introduction of GDPR. The considerations for selecting appropriate regulatory activity have been discussed here in the context of fines. Broadly, the ICO will consider the nature and extent of the breach, the conduct of the relevant individual or organisation, whether any other regulator is already taking action, and the public interest in regulatory action being taken. The most serious regulatory actions will normally be used either where there is a pattern of breaches or where a breach is a serious or high risk case.
Assessment, Enforcement and Penalty Notices
The Data Protection Bill provides the ICO with extended powers with respect to the service of Assessment Notices, Enforcement Notices and Penalty Notices. The Policy provides some more detail concerning how the ICO intends to use these powers.
Assessment Notices are used in order to conduct a compulsory audit of an organisation’s data processing activities. In outline, the Policy states these will be issued where it is apparent there has been a breach within the organisation, or where it is necessary to gauge compliance with an Enforcement Notice. The Policy also sets out the way in which assessments will be carried out. Alongside reviewing of relevant compliance documents (such as policies and training material) and assessing the data protection activities, the ICO may interview relevant staff and contractors.
Enforcement Notices will continue to be issued to mandate or halt action to bring about compliance with information rights and/or remedy a breach. The Policy makes it clear that such notices may be required for repeated failures to meet information rights obligations (for example, repeated delays in responding to a subject access request); non-compliant third country transfers or processing; or when there is a need for the ICO to require that a data breach is communicated to those affected by it.
The Policy sets out when Penalty Notices will be used and how they will be quantified. Penalty notices will be reserved for the most serious cases “representing the most severe breaches of information rights obligations. These will typically involve wilful, deliberate or negligent acts, or repeated breaches of information rights obligations, causing harm or damage to individuals”. The value of a penalty notice will be calculated to reflect the scale and severity of the breach, any financial gain from any breach and provide deterrent effect to others. Mitigating factors may reduce this amount, which explicitly include the organisation’s ability to pay.
What to expect next
On one hand, it is reassuring to know that the ICO will be reserving the most serious penalties for the most serious and persistent breaches. On the other, with increased powers enabling the ICO to quickly and simply check whether an organisation is processing data in compliance with the law, it goes without saying that all organisations should ensure that they both comply with the law and can demonstrate that they are complying with the law.