Images of the Information Commissioner's Office (ICO) entering and searching Cambridge Analytica's offices recently appeared in the media. We look at what enforcement powers are available to the ICO.

The UK Information Commissioner, Elizabeth Denham, and her office has traditionally held a relatively low public profile while undertaking the function of regulating the use of information in the UK.

However recent events and the upcoming General Data Protection Regulation’s (GDPR) may have left many business leaders wondering under what circumstances Elizabeth Denham and her ICO investigators could be seeking (and able to gain) entry to premises or issue substantial financial penalties.

The ICO's existing enforcement powers under the Data Protection Act 1998 (DPA) are significantly extended under the Data Protection Bill (the Bill), which is due to replace the DPA later this year.

Data Protection Act 1998

Changes under the Data Protection Bill

Request information
The ICO can serve information notices requiring organisations to provide specified information within a certain time period. Introduces a new offence for making a false statement in response to an information notice served by the ICO.
Conduct onsite assessments
The ICO can serve an assessment notice requiring government departments to permit the Commissioner to enter premises, access documents and interview specified persons. Broadens the ICO’s inquisitorial powers to all data controllers and processors.
Enforcement notices
The ICO can issue undertakings committing an organisation to a particular course of action (i.e. take steps or refrain from taking steps), in order to improve its compliance. Enforcement notices may include an absolute ban the processing of personal data. Absolute bans on processing data are limited to circumstances where failure relates to breaches of an individual’s rights.
Penalty notices
The ICO can issue penalty notices requiring payment for serious breaches of the DPA principles. The maximum fine is £500,000. The ICO can impose penalty notices for a wider range of failures, including failure to comply with an information notice, assessment notice or an enforcement notice. The level of fines has increased to up to £20 million or 4% of annual worldwide turnover, whichever is higher.

The ICO’s enforcement powers are not unfettered under the Bill – the following procedural requirements remain:

  • Unlike the Competition and Markets Authority and Serious Fraud Office, the ICO must obtain a warrant in order to conduct a dawn raid.
  • ‘Urgent’ information and assessment notices (that do not require a period for appeal) require a minimum of seven days’ notice.
  • Before issuing a fine, the ICO must give notice outlining the reasons for any intended penalty and providing the recipient with the opportunity to respond.

When will the ICO use these powers of enforcement?

The ICO can take action where it considers it necessary to change the behaviour of organisations and individuals that collect, use and keep personal information. As illustrated by WhatsApp giving a public commitment not to share personal data with Facebook until it can do so in compliance with GDPR (following an ICO investigation in early 2018), the ICO has several methods of enforcement available to it that range from requiring a commitment to changing behaviour to imposing a monetary penalty.

In the first three months of 2018 the ICO announced that it had taken action against 23 individuals or entities, demonstrating that it is willing to enforce data protection legislation. From 25 May, the ICO will benefit from its extended enforcement powers. It has made it clear that there will be no ‘grace’ period; its GDPR regulation is to start from this date.