Who Are the ICO and How Can They Affect the Running of Your Business in England?   

Your company can only process information following the data protection rules of England. The General Data Protection Regulation (GDPR) and the Data Protection Act govern these rules in the UK. The Information Commissioner’s Office (the ICO) is an independent body that enforces these data protection rights. This article will explain the identity and purpose of the Information Commissioner’s Office to ensure your business complies with data privacy rules and avoids financial penalties.

What is the Purpose of the ICO?

The ICO has several essential duties concerning data protection law, which include:

• providing detailed guidance on data protection principles and obligations on their website;
• investigating GDPR-related complaints; and
• issuing fines to companies who commit personal data breaches and fail to follow good practices when processing personal data.

Let us explore each in turn below.

ICO Guidance on Data Protection Issues

The ICO’s website provides usual information on rights and how to process employee, customer and third-party data. For example, the ICO’s Employment Practices Code is a valuable guide to handling information relating to recruitment, employee records and staff monitoring. In addition, the ICO will consider how your business processes personal data.

It is easy to see how the ICO can intrude into your company’s affairs upon receiving complaints relating to the above. 

Who Does the ICO Investigate?

The ICO exists to investigate any data protection-related complaints against a company. Such complaints usually concern alleged breaches of the UK GDPR.

The most common situations in which your company could face an ICO investigation include:

• failure to correctly handle a Subject Access Request;
• using personal information without consent or lawful purpose;
• failing to report an applicable personal data breach to the ICO within the relevant 72-hour window; and
• unlawful monitoring of staff at work.

ICO Fines

If the ICO investigation determines your business breaches data protection rules, your company may receive a fine. The maximum ICO fine is £17.5m (or 4% of annual global turnover). Realistically, most ICO fines range between thousands or tens of thousands. This is still a lot of money for your business and worth taking steps to avoid. After all, it only requires your company to practise good data management and follow the guides on the ICO website to avoid financial penalties.

Suppose your company commits a minor data protection breach, but the ICO believe it was unintentional, and your organisation was doing its best to comply. In that case, the ICO can choose to provide a written warning letter instead.

Key Takeaways

The ICO acts as the referee for data protection purposes in England. If your organisation commits a data protection breach, the ICO has the power to issue a fine. In doing so, it will consider the public interest and its role in protecting the data of individuals. Your business must be aware of the ICO and its GDPR compliance guides to ensure you have all the facts. Unfortunately, arguing that you had no prior knowledge of your company’s data protection obligations is a poor excuse.

If you need help with data protection rules and ensuring good relations with the ICO, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions