Trends in ICO Enforcement
A deep dive into ICO enforcement actions over the last 12 months – and what they tell us about the consequences for facing businesses who do not comply with UK data protection laws.
The Information Commissioner’s Office (ICO) supervises compliance with data protection laws in the UK for both individuals and organisations. Alongside its arsenal of tools to inform, guide and monitor standards of data protection compliance are a range of enforcement powers, including assessment notices, warnings, reprimands, enforcement notices and penalty notices (fines).
What is a reprimand?
A reprimand is a warning issued to an organisation deemed to be infringing UK data protection legislation. From January 2022, the ICO has published all reprimands unless “there is a good reason not to” such as issues of national security or investigations.
Over the 12-month period we looked at, reprimands are the most used form of formal ICO action, most commonly in the public sector – together, criminal justice, local government, central government and health alone comprise 63% of reprimands issued. Reprimands were often issues for inadvertent or careless release of personal data to the public or unintended persons, as well as for a lack of appropriate procedures, security measures or training being in place to protect personal data.
What are enforcement notices?
The next most common form of enforcement action used were “enforcement notices”, which require an organisation to resolve breaches (sometimes on an urgent basis, i.e. within 24 hours’ notice). These actions were most frequently faced by private sector organisations, most frequently (30%) in the marketing sector, often due to unsolicited direct marketing calls or text messages.
What are monetary penalties?
In a word: fines. The ICO has the power to impose fines of up to 4% of global turnover for the most serious infringements. Again, marketing was a frequent contributor to these figures (27%), with unsolicited direct marketing calls or text messages a common cause. Penalties most frequently fell between £50,000 and £100,000 although four fines of over £200,000 were issued.
The ICO also has the power to issue a civil monetary penalty of up to £17.5 million or 4% of the total annual worldwide turnover of a party in the preceding financial year, whichever is higher.
Prosecutions
These are criminal prosecutions for offences under UK data protection legislation. Only two took place during the period.
Top tips for avoiding common data protection pitfalls
- Non-compliant marketing activity accounts for a large proportion of the cases dealt with by the ICO. Make sure you have the right to undertake the marketing activities in your business plan. To assist with this, ensure your privacy policy reflects your requirements and the correct consents are obtained from data subjects at the point personal data is collected. In the absence of consent, consider undertaking a Legitimate Interest Assessment to establish if you can rely on legitimate interest.
- Review your internal policies and procedures to make sure they reflect current best practices.
- Ensure staff receive role-specific training in data protection compliance requirements, including the correct handling of confidential information and what to do if things go wrong.
If you need any help with GDPR compliance, check out our Data Assist security audit tool or contact our Commercial & Technology team.
