ICO consults on its draft “Statutory guidance on our regulatory action”
What can data controllers and processors learn about the ICO’s approach to regulatory action from its proposed new guidance (the Guidance)?
The key takeaway
The Guidance, once finalised following the consultation, will provide some necessary clarity as to how the ICO will monitor and enforce compliance with data protection legislation. In the meantime, the draft Guidance gives organisations a sneak preview into what action could be taken against them and in what circumstances following a suspected breach. Organisations would do well to familiarise themselves with the ICO’s suggested approach at this early stage.
In October 2020, the ICO launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK in relation to information notices, assessment notices, enforcement notices and penalty notices; a step that it is required to take under the Data Protection Act 2018. The document aims to support the ICO’s primary responsibility of ensuring compliance with data protection legislation and goes on to explain the ICO’s powers in relation to the above notices, in which circumstances it will use these powers and how it calculates fines. The Guidance seeks to provide certain assurances to businesses that it will use its powers proportionately and consistently.
Notably, the document sets out its risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of data protection law. The ICO’s primary focus is on the areas of highest risk where the most harm is likely to occur and the core principles it will apply when exercising its powers.
The consultation sets out the current updated guidance in relation to the following notices:
- An information notice requires that a data controller, processor or individual provides the ICO with information to help it with its investigations within a specified time.
- It is served at the ICO’s discretion considering what is appropriate and proportionate (including the risk of harm to individuals or the level of intrusion into their privacy).
- Regarding time periods in which the information must be provided (or if an urgent information notice will be issued), the ICO will take into account the extent to which urgent investigation may prevent or limit the risk of serious harm or serious intrusion and, in particular, the extent to which it may prevent the alteration, destruction, concealment, blocking, falsifying, or removal of relevant evidence of data processing.
- If the recipient fails to respond within the allocated timeframe, the ICO can apply to the court for an order requiring compliance. Whether an application is made depends on the reasons for non-compliance, any commitments that may have been given, what evidence is to hand and whether the information can be obtained from another source and the public interest. Even considering this, the ICO can still consider issuing a penalty notice (see below).
- An assessment notice requires that a data controller or processor allows the ICO to consider whether they are compliant with legal requirements or not. This can include requiring access to premises and/or specified documents and equipment.
- Such a notice may be issued where it is necessary to verify compliance with an enforcement notice (see below) or if the controller or processor has failed to comply with an information notice.
- The ICO states that it may require access to specific documents and/or information which indicate how companies have complied with the legislation and what governance measures they have put in place to monitor their compliance. The ICO may require access to documents covered by privilege, that are commercially very sensitive or exempt from the DPA in the interests of national security. However, they will only access the minimum amount of information needed to satisfy their assessment.
- The ICO will consider whether objectively the organisation has complied with the legal requirements, covering manually and electronically stored data, data stored locally and on mobile devices and media, as well as control information and physical and IT-related security measures, including how personal data is stored and disposed of.
- The ICO may issue an enforcement notice if a data processor or controller has breached one of the data protection principles. The notice will mandate that the organisation will have to take specific action in order to be compliant again. Failure to comply with such a notice may lead to further action, including penalty notices.
- These notices will usually be appropriate where the organisation has repeatedly failed to meet information rights obligations, if there are serious ongoing infringements to people’s rights, or where the processing or the transfer of information to a third country fails to meet the requirements of the DPA and GDPR.
- The timeframe in which such notices may be sent will typically reflect the imminence of proposed action, the severity and scale of any breach or compliance failings and the feasibility of correcting measures or technology.
- If data processors or controllers fail to comply with data protection legislation or ICO’s notices, the ICO can issue a penalty notice indicating its intention to issue a fine.
- The Guidance notes that the ICO will reserve these powers for the most serious breaches, typically consisting of intentional or negligent acts or repeated breaches, which cause damage to individuals, or for non-compliance with the above notices. Penalty notices can also be issued if an organisation repeatedly fails to rectify identified problems or follow the ICO’s recommendations.
- However, before the ICO issues a penalty notice they will first issue a Notice of Intent advising an organisation that they intend to serve them with a penalty notice. This gives the recipient 21 days to give a written response about the proposed penalty and its amount.
- The guidance also addresses the calculation of any penalties, which will depend on the type of breach and whether the “standard maximum amount” or “higher maximum amount” applies. It will also depend on factors such as the seriousness of the contravention, the degree of culpability, the ICO’s determination about turnover, any aggravating or mitigating factors and the economic impact of the fine and the effectiveness, proportionality and dissuasiveness of any penalty.
Why is this important?
The Guidance will give organisations clarity on what type of action the ICO can take, in what timeframes those actions might be taken, and what the ultimate consequences will be for non-compliance of data protection law or ICO’s notices.
While the consultation has already ended, the Guidance will change and evolve according to the feedback given by stakeholders, which will be hugely important to all organisations that process, or handle data once published.
Any practical tips?
Organisations that process personal data should keep careful tabs on their legal obligations and ensure to take proper action if any notices are issued against them to avoid steep financial penalties. They should make sure that all necessary mitigation steps are taken in the event of a breach in order to try to minimise the potential penalty. One preventative step that organisations should consider taking is to ensure that a core data response team is in place and fully trained, so that mitigation and response processes can be deployed as quickly as possible, thereby minimising disruption to management and wider business operations.