The Information Commissioner’s Office (‘ICO’) has released draft statutory guidance for public consultation dealing with its various enforcement and investigation powers, and when and how they will be applied. Comments on the draft were invited until the 12th November 2020.
While the document will likely face review after the consultation, it is an interesting insight into the ICO’s priorities and decision making.
The ICO, applying the General Data Protection Regulations (‘GDPR’) by virtue of the Data Protection Act 2018, can leverage fines of up to €20 million or 4% of annual turnover, whichever is greater. The ICO is currently guided by its Regulatory Action Policy (‘RAP’), and the new guidance will eventually sit alongside the RAP.
To date the ICO has taken a fairly cautious approach and has avoided exercising its full powers, but is increasingly handing out bigger fines (for example as seen here).
Of particular note, the ICO is driven by the degree of risk in a breach. The greater or wider the potential harm, the greater the penalty/action required. While harm itself is a factor, a lack of harm is not a lack of breach or severity. For example, the loss of data within an organisation (perhaps due to corrupt files) would likely be treated less severely than the same data escaping the organisation’s control entirely, but could still have posed a great risk.
The ICO has access to the following options where it feels there has or may have been a data privacy breach:
- Information notice
- Assessment notice
- Enforcement notice
- Penalty notice
- Fixed penalty
An information notice is a formal request from the ICO for further details about an area of concern. While an information notice isn’t a penalty as such, it can lead to further enforcement if not complied with. Properly handling an information notice could also shape any further investigation or regulatory action (or lack thereof) down the line.
When responding to an information notice, any reply will need to be carefully considered as it will likely set the tone and scope of any further investigation.
An assessment notice is the next level of investigation, and is more focused specifically on information relating to data compliance legislation. This might cover access to premises, or specified documentation and equipment. It will likely include direct inspection and examination by the ICO, and may include interviews. As with information notices, carefully considered and strategic replies can save a great deal of cost and concern later down the line.
Following an assessment notice, the ICO will produce and share an audit report, and potentially recommend formal enforcement action. Executive summaries of such audits are posted on the ICO’s website. The reports themselves will demonstrate areas of improvement for the organisation in question – swift compliance will serve to ward off any subsequent investigation.
An enforcement notice is one of two major enforcement powers the ICO has, requiring compliance with the contents of the notice. The notice itself will set out actions, timescales and any appeal/challenge processes.
These actions can be significant, and vary from provisions for improving technical security, to more fundamental changes in a business’ behaviour and products. For example, the recent Experian notice requires that Experian stop offering certain products altogether. As such, an enforcement notice has the potential to be a far more severe penalty than any monetary fine.
Occasionally, the ICO will provide a preliminary version of the notice, to invite the organisation in question to comment on it in advance.
The ICO will look to levy a penalty where an enforcement notice has not been complied with; if any compliance is negligent or intentional, the fines are likely to be significant.
The ICO also has the power to levy fixed penalty notices for certain matters, such as failing to correctly register as a data controller.
As a general rule, the ICO reserves penalty notices for the most serious of cases, especially where there has been a high degree of negligence or an intentional breach.
As mentioned earlier, these penalties can be significant; they will generally be calculated with attention paid to the following steps:
- Seriousness of the breach
- Level of culpability of the organisation in question
- Determination of the turnover of the organisation
- Calculation of an appropriate starting point
- Aggravating/mitigating features
- Consideration of the organisation’s financial means
- Assessment of the economic impact of any penalty
- How effective, proportionate and dissuasive such a penalty would be
- Whether any early payments have been made
It is worth noting that the ICO will invite representations from the organisation in question before finalising the penalty sum – in particular, the recent proposed fine against British Airways was reduced from £183.39m to £20m following successful advocacy and the provision of further data and details of the attack.
The new draft guidance offers real insight into the tools available to the ICO, and opportunities to minimise the disruption caused by any investigation, as well as to accurately estimate any regulatory action from the start.
More than anything, the guidance shows the importance of having a comprehensive plan in place to handle any breach, and the importance of responding quickly, accurately and strategically to any enquiries from the ICO.
If your organisation is either facing or looking to prevent the need for an ICO investigation, Ashfords’ Business Risk and Regulation team can help, from drawing up systems and procedures to advising on investigations and corresponding with the ICO.
For more information on the article above please contact Ben Derrington.