News & Analysis


ICO Consults on Increased Powers under Data Protection Reform

The Information Commissioner’s Office (ICO) has launched a consultation to gather views on the way it plans to exercise new regulatory powers to support carry out fast-moving, detailed investigations in the public interest. Stakeholders and the public have time until the end of June to comment on the ICO’s Draft Regulatory Action Policy. The ICO’s approach is designed to help creating an environment that ensures data subjects protection while allowing businesses to operate and innovate efficiently in the digital age.

The Policy sets out a risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulations 2003, the Freedom of Information Act 2000, and related legislation. The document focusses on areas of highest risk and most harm, and describes the principles the ICO apply in exercising their powers.

The five objectives the ICO would try to meet when considering whether to take action are:

  • To respond swiftly and effectively to breaches of legislation;
  • To be effective, proportionate, dissuasive, and consistent in the application of sanctions;
  • To support compliance with the law;
  • To be proactive in identifying and mitigating new or emerging risks arising from technological and societal change;
  • To work with other regulators and interested parties constructively.

The ICO is planning to adopt a selective approach to the action to take, considering criteria such as:

  • The nature and seriousness of the breach or potential breach;
  • The categories of personal data affected and the level of any privacy intrusion;
  • The number of individuals affected, the extent of any exposure to physical, financial, or psychological harm;
  • Whether it is a new or a repeated issue;
  • The gravity and duration of a breach;
  • The public interest in regulatory action being taken; or
  • Whether another regulatory is already taking action.

As a general principle, the more serious, high-impact, intentional, wilful, neglectful, or repeated breaches can expect stronger regulatory action. Breaches involving novel issues, technology, or a high degree of intrusion into the privacy of individuals can also expect to attract regulatory attention at the upper end of the scale.

The power to levy penalties of up to 4% of annual turnover or 20 million EUR, whichever is greater, has come through the GDPR; other powers introduced by the new Data Protection Act include no-notice inspections, compelling people and organisations to hand over information, and making it a criminal offence to destroy, falsify or conceal evidence.

For the coming year, the ICO have identified the following areas as priorities for action:

  • Large scale data and cyber security breaches involving financial or sensitive information;
  • AI, big data, and automated decision making;
  • Web and cross device tracking for marketing (including for political purposes);
  • Privacy impacts for children (including Internet of Things connected toys and social media/marketing apps aimed at children);
  • Facial recognition technology applications;
  • Credit reference agencies and data broking;
  • Use and sharing of law enforcement data, including intelligence systems; and
  • Right to be forgotten/erasure applications.

The online survey closes on 28 June. The revised Policy will be subject to Parliamentary consideration and final approval. It will then be updated to reflect any amendments to legislation, including implementation of a new e-Privacy Regulation as well as once the final settlement between the EU and the UK post-Brexit is confirmed.