ICO Regulatory Action Policy

While firms were rushing towards GDPR compliance for 25 May 2018, the ICO quietly published its Regulatory Action Policy in draft on 04 May 2018, a document that aims to provide “direction and focus” for the ICO’s intended risk-based approach to regulatory action. Although the Policy has been largely overlooked by the media (who prefer the more salacious news of data breaches), it contains important information for firms with exposure to data privacy enforcement (in other words, any firm that holds personal data).

What does the Policy aim to do?

The Policy aims to:

• provide a single location setting out the ICO’s powers and when and how it will use these powers
• ensure that regulatory action is taken in a fair, proportionate and timely fashion to ensure that individuals’ information rights are properly protected
• guide the ICO and its staff in ensuring that any action is targeted, proportionate and effective, and
• assist in the delivery of the six goals in the Information Rights Strategic Plan, as can be seen here, and uphold information rights effectively for individuals in the digital age.

How will the ICO use its powers?

The Data Protection Act 2018 introduces new powers for the ICO, including the right to issue information notices to individuals as well as organisations and, where it is appropriate and proportionate to do so, the right to issue "urgent" notices that must be complied with within 24 hours. The ICO can also inspect and assess compliance without notice and it is a criminal offence for an organisation to destroy or alter information that the ICO has requested under warrant.

The ICO is clearly seeking greater engagement from organisations and will have the ability to quickly check that an organisation is processing data in compliance with the law. Given the speed with which the ICO can act and demand responses, it is important that organisations can quickly respond to ICO engagement and demonstrate their compliance with data protection laws.

Will the ICO really impose those huge penalties under the GDPR?

It is well known that, under the GDPR, the ICO may levy penalties of up to 4% of an organisation’s global turnover or £17m, whichever is greater. However, it does not appear that the ICO will be frequently handing out penalties even close to those levels - the Policy states that penalties over the threshold of £1m will be “very significant”.

What does the ICO care about?

The ICO has provided a list of its regulatory priorities for 2018-2019, including:

• large scale data and cyber security breaches that involve financial or sensitive information
• AI, big data and automated decision making
• web and cross device tracking for marketing (including for political purposes)
• privacy impacts for children (including Internet of Things connected toys and social media/marketing apps aimed at children)
• facial recognition technology applications
• credit reference agencies and data broking
• use and sharing of law enforcement data, including intelligence systems, and
• right to be forgotten/erasure applications.

Specifically, in the case of data breaches, the Policy makes clear that “more serious, high-impact, intentional, wilful, neglectful or repeated breaches” should expect stronger regulatory action, as should breaches that involve novel issues, technology or a high degree of intrusion into the privacy of individuals.

Consultation deadline - 28 June 2018

The ICO is running a public consultation on the Policy, ending on 28 June 2018. A link to the consultation is available here. If you need any assistance with your firm’s submission, please contact our Data Security team.