The UK data protection watchdog, the Information Commissioner’s Office (ICO), has published a Data Protection Regulatory Action Policy, setting out factors the ICO will consider when deciding whether to initiate enforcement action and what form it should take. The policy should assist organisations with understanding the enforcement process and the risks of non-compliance with the UK Data Protection Act 1998.
Regulatory action by the ICO covers each type of enforcement power, including criminal prosecution, monetary penalties, undertakings, enforcement orders and, for the public sector, compulsory audits. The ICO will continue to publicise the non-confidential details of regulatory actions taken.
The ICO will consider a number of factors when deciding whether to undertake any enforcement, including the following key issues:
- Deliberate or persistent non-compliance
- Gravity of impact of non-compliance
- Volume of individuals adversely affected
- Enforcement is required to clarify an important point of law or principle
- Enforcement is necessary to set an example because (i) the non-compliance relates to a representative of a particular sector or activity; or (ii) of the novel, precedent setting or particularly intrusive nature of the non-compliance
- Whether the organisation in question had a deliberate, wilful or cavalier approach
The policy reinforces the manner in which the ICO currently undertakes enforcement action in that organisations will continue to have an opportunity to make representations before the ICO makes a final determination about whether regulatory action is warranted.
In determining which of its enforcement powers to exercise, the ICO will consider the actual or potential detriment caused by non-compliance. To assess this, the ICO will focus on:
- Issues of general public concern (including those raised in the media)
- Concerns that arise because of the novel or intrusive nature of particular activities
- Concerns raised with the ICO in complaints that they receive
- Concerns that become apparent through ICO’s other activities
An interesting aspect of the policy is the degree to which the ICO will consider market factors. For instance, strong regulatory action may be less likely where the non-compliance occurs in markets which regulate themselves. In practice this means that the ICO is likely to pay less attention to industries where compliance with data protection laws can give an important competitive advantage and where competition is fiercer. In contrast, regulatory action is more likely to continue to be in the public sector, which cannot be adequately regulated by market factors.
Lastly, the policy makes some efforts to encourage more business to agree for voluntary audits. The ICO makes it clear that it views audits as a “constructive process with real benefits for data controllers.” Businesses agreeing to an audit will benefit from the help of trained and competent ICO auditors and from the fact that the ICO will not impose any monetary penalty for contraventions discovered in the process.