What Data Protection Requirements Does the ICO Enforce in the UK?

Your organisation processes a large amount of information each day. In doing so, it must comply with the two primary data protection laws in the UK, which are the GDPR (General Data Protection Regulation) and the Data Protection Act. The Information Commissioner’s Office (ICO) is an independent organisation responsible for enforcing data protection rules. It acts to provide guidance, investigate alleged breaches, and issue financial penalties against companies where appropriate.

This article will explain the data protection requirements enforced by the ICO to ensure your company complies with those requirements and avoids fines from the ICO.

What Are the Main Duties of the ICO?

The ICO has several critical tasks concerning data protection law, which include:

• investigating GDPR-related complaints against companies;
• providing detailed guidance concerning data protection principles and obligations on their website; and
• delivering fines to organisations that commit personal data breaches and fail to follow good practices when processing personal data.

What Are the Main Data Protection Requirements Enforced?

The ICO exist to put weight behind UK data protection law. They act as the referee in considering potential fouls and the penalty to apply for them. But what data protection principles does the ICO seek to enforce?

The primary data protection requirements enforced by the ICO include:

• that all personal data obtained and processed by your business is done in a fair, lawful and transparent manner;
• that your business only obtains personal data for specified explicit and lawful purposes;
• that all personal data collected is adequate, relevant and not excessive in relation to the purpose for which it is processed;
• where you move personal data outside of the UK, doing so lawfully;
• swift and accurate responses to Subject Access Requests (SARs), data erasure or rectification requests and other data-related requests; and
• the need to report any serious ‘personal data breaches’ to the ICO within 72 hours.

Let us explore a few of these data protection requirements below.

Correct Handling and Processing of Personal Data

The main principles here involve only using personal data relating to customers, staff and third parties for a lawful reason or with their prior consent. It is helpful for your company to keep any written permission for record-keeping purposes.

In terms of personal data, you are expected to limit the information stored to the level required to perform the relevant service. Your company should not store excessive amounts of data. So if you need to collect information to send a free postal newsletter to an individual, you should take their name and home address. However, you should avoid requesting their National Insurance number or date of birth.

Lawful Sending of Information Outside the UK

Your company can only send information to a country outside the UK if you are satisfied that the relevant country has ‘appropriate safeguards’ in place and individuals in the country have enforceable data protection rights. This could include those countries granting their citizens effective legal powers against data protection breaches and the internet in that country not being state-monitored.

Correct Handling of Subject Access Requests

It is becoming more common for organisations to receive SARs from staff and customers, and the ICO has a handy guide for handling them on its website.

Overall, your company should:

• acknowledge receipt of the SAR;
• carry out a reasonable search for the materials requested (with a few exceptions, mainly where it would disclose the personal data of others); and
• provide the relevant information (in digital or written form) within the appropriate time period (usually one month).

Most ICO complaints concern companies that fail to comply within the one-month time limit.

Reporting Data Breaches to the ICO

The final main requirement is that your company must report any personal data breach to the ICO within 72 hours of it happening. One example of this would include a staff member accidentally sending a spreadsheet with the home addresses and full names of customers to the wrong email address, ending up in the wrong person’s hands. This would pose a risk to those people through potential identity theft.

What Can the ICO Do if My Company Breaches These Rules?

The ICO can hand down fines to organisations that breach data protection laws. The maximum fine level is very high and capped at £17.5m (or 4% of annual global turnover).

The ICO will grade different data protection breaches differently depending on their severity. In this way, they will consider a written warning (with no fine) for providing the results of a SAR to a staff member two hours later than the technical deadline in comparison. Conversely, they will likely issue a financial penalty for covering up (and failing to report) a major personal data breach to them.

Key Takeaways

The ICO acts as the referee for data protection purposes in the UK and applies penalties per the public interest. If your organisation breaches data protection law, the ICO is the body to decide on the level of punishment.

While the maximum fine level is scary, in reality, the ICO produces fines in the region of thousands or tens of thousands instead. This is still a lot of money for your business and worth taking steps to avoid. After all, it only requires your company to practise good data management and follow the guides on the ICO website to avoid financial penalties.

If you need help with data protection requirements and avoiding sanctions from the ICO, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions