Table of Contents
Every business in the UK should be aware of the ICO’s powers and how they may affect you. The Information Commissioner’s Office (ICO) is an independent body aiming to help organisations in the UK comply with data protection law. They enforce the main rules within the General Data Protection Regulation (GDPR). This article will explain the enforcement powers available to the ICO to ensure your company is aware of the potential penalties it may face after a data breach.
When Will the ICO Start an Investigation?
One of the ICO’s main aims is to ensure compliance with data protection rules, so the general public has confidence that you will handle their data safely.
The ICO may investigate your business if the suspect any of the following activities:
- data breaches involving personal data of individuals;
- failure to delete sensitive information when it has served its purpose;
- unfair or unreasonable staff monitoring in the workplace;
- failure to correctly handle subject access requests (SARs);
- unsafe storage of employee information and personal information;
- failure to report a serious data breach to the ICO within 72 hours; or
- disclosure of personal or sensitive information outside your business without the consent of the relevant individuals (or any lawful reason).
The ICO website confirms that they aim to handle any breach of the rules fairly and proportionately. As such, they will consider all mitigating circumstances when using their enforcement powers.
What Will an ICO Investigation Involve?
At the start of any investigation, the ICO will inform you of their concerns and any alleged breach of data protection rules in writing. They may ask you some initial questions to aid their investigation and request specific information from your business.
For example, suppose your company fails to report a data breach to the ICO within 72 hours. They may conclude that your organisation is in breach of the GDPR. In that case, they will consider the best enforcement action against your business.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
ICO’s Enforcement Powers
If the ICO find that your business has failed to follow data protection rules, it has several possible enforcement options. These include:
- asking you to perform a remedial action to avoid future breaches;
- mandating you to develop a performance improvement plan to demonstrate intent to prevent future mistakes; or
- issuing a fine of up to £17.5m or 4% of your annual turnover (whichever is higher).
In severe circumstances, the ICO may provide more than one of the above enforcement options. However, when considering which enforcement power is best, it will consider all mitigating circumstances.
Mitigating Circumstances
The ICO aims to help businesses handle data safely rather than unduly punish them. Therefore, it will always consider remedial action for minor breaches. Additionally, when considering appropriate enforcement action, the ICO will also account for:
- your business making a genuine effort to follow data protection rules;
- the extent of harm to the individual;
- whether your organisation has appointed a data protection officer;
- whether this is the first offence; and
- whether you provide staff training and have written policies to encourage good data handling by staff.
What If I Receive a Fine?
Outside of exceptional circumstances, most penalties are in the thousands and depend on the seriousness of the breach. For example, the ICO will award a much smaller fine to a small business that accidentally discloses the home addresses of its ten employees online compared to an international company that leaks 1000 employee addresses. This is because the harm to the public (and employees) is more significant as many more individuals are affected by the breach.
Key Takeaways
The ICO website provides the weapons to avoid enforcement action through its written guides on data protection. A helpful example is the ICO Employment Practices Code which can guide you through the best handling of staff information. However, while the ICO will consider mitigating circumstances and genuine effort to comply with the GDPR, it retains the discretion to fine non-compliant businesses.
If you need help with data protection rules and ICO investigations into alleged breaches of data protection rules, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Your business is bound by the rules within the Data Protection Act. Fortunately, this overlaps with the GDPR, so you should ensure compliance by following the ICO’s GDPR guidance on their website.
Unless your business can prove mitigating circumstances or show that the breach was minor, the ICO will strongly consider a monetary penalty notice. While the ICO aims to educate companies, they also have an enforcement role.
We appreciate your feedback – your submission has been successfully received.