Skip to content
LegalVision UK

Who Are the ICO and How Can They Affect the Running of Your Business in England?   

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Your company can only process information following the data protection rules of England. The General Data Protection Regulation (GDPR) and the Data Protection Act govern these rules in the UK. The Information Commissioner’s Office (the ICO) is an independent body that enforces these data protection rights. This article will explain the identity and purpose of the Information Commissioner’s Office to ensure your business complies with data privacy rules and avoids financial penalties.

What is the Purpose of the ICO?

The ICO has several essential duties concerning data protection law, which include:

  • providing detailed guidance on data protection principles and obligations on their website;
  • investigating GDPR-related complaints; and
  • issuing fines to companies who commit personal data breaches and fail to follow good practices when processing personal data.

Let us explore each in turn below.

ICO Guidance on Data Protection Issues

The ICO’s website provides usual information on rights and how to process employee, customer and third-party data. For example, the ICO’s Employment Practices Code is a valuable guide to handling information relating to recruitment, employee records and staff monitoring. In addition, the ICO will consider how your business processes personal data.

The definition of processing is extensive and can include any or all of the below:

  • storage;
  • recording;
  • retrieval;
  • disclosure;
  • alteration; and
  • deletion.

It is easy to see how the ICO can intrude into your company’s affairs upon receiving complaints relating to the above. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Who Does the ICO Investigate?

The ICO exists to investigate any data protection-related complaints against a company. Such complaints usually concern alleged breaches of the UK GDPR.

The most common situations in which your company could face an ICO investigation include:

  • failure to correctly handle a Subject Access Request;
  • using personal information without consent or lawful purpose;
  • failing to report an applicable personal data breach to the ICO within the relevant 72-hour window; and
  • unlawful monitoring of staff at work.

The ICO will grade data protection breaches differently depending on their severity. Thus, they will consider a lesser punishment for a one-day delay for a Subject Access Request than an intentional failure to report a significant personal data breach.

ICO Fines

If the ICO investigation determines your business breaches data protection rules, your company may receive a fine. The maximum ICO fine is £17.5m (or 4% of annual global turnover). Realistically, most ICO fines range between thousands or tens of thousands. This is still a lot of money for your business and worth taking steps to avoid. After all, it only requires your company to practise good data management and follow the guides on the ICO website to avoid financial penalties.

Suppose your company commits a minor data protection breach, but the ICO believe it was unintentional, and your organisation was doing its best to comply. In that case, the ICO can choose to provide a written warning letter instead.

Key Takeaways

The ICO acts as the referee for data protection purposes in England. If your organisation commits a data protection breach, the ICO has the power to issue a fine. In doing so, it will consider the public interest and its role in protecting the data of individuals. Your business must be aware of the ICO and its GDPR compliance guides to ensure you have all the facts. Unfortunately, arguing that you had no prior knowledge of your company’s data protection obligations is a poor excuse.

If you need help with data protection rules and ensuring good relations with the ICO, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What types of situations come under ‘monitoring at work’ investigations?

This typically relates to complaints about inappropriate CCTV surveillance at work. There are rules to protect staff against secret audio or video surveillance in the workplace other than in specified circumstances. Apart from extreme cases, your company is usually required to signpost all CCTV cameras in the workplace.

When does my organisation have to report a ‘personal data breach’?

When personal data and information get into the wrong hands and could cause harm. For example, suppose someone hacked your workplace network and took your employees’ details (such as full name, address and date of birth). This would put them at risk of identity theft, requiring you to refer this to the ICO.

Register for our free webinars

A Roadmap to Business Success: How to Franchise in the UK

Online
Learn the formula for successfully franchising your UK business. Register for our free webinar today.
Register Now

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

How Does GDPR Affect My Business?

When Could Your Business Face a Fine From the ICO for Breaching the GDPR in the UK?

Four Tips to Safely Handle Subject Access Requests in England

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times