Skip to content
LegalVision UK

What Enforcement Powers Does the ICO Have Against Your Business the UK?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Every business in the UK should be aware of the ICO’s powers and how they may affect you. The Information Commissioner’s Office (ICO) is an independent body aiming to help organisations in the UK comply with data protection law. They enforce the main rules within the General Data Protection Regulation (GDPR). This article will explain the enforcement powers available to the ICO to ensure your company is aware of the potential penalties it may face after a data breach.

When Will the ICO Start an Investigation?

One of the ICO’s main aims is to ensure compliance with data protection rules, so the general public has confidence that you will handle their data safely.

The ICO may investigate your business if the suspect any of the following activities:

  • data breaches involving personal data of individuals;
  • failure to delete sensitive information when it has served its purpose;
  • unfair or unreasonable staff monitoring in the workplace;
  • failure to correctly handle subject access requests (SARs);
  • unsafe storage of employee information and personal information; 
  • failure to report a serious data breach to the ICO within 72 hours; or
  • disclosure of personal or sensitive information outside your business without the consent of the relevant individuals (or any lawful reason). 

The ICO website confirms that they aim to handle any breach of the rules fairly and proportionately. As such, they will consider all mitigating circumstances when using their enforcement powers.

What Will an ICO Investigation Involve?

At the start of any investigation, the ICO will inform you of their concerns and any alleged breach of data protection rules in writing. They may ask you some initial questions to aid their investigation and request specific information from your business.  

For example, suppose your company fails to report a data breach to the ICO within 72 hours. They may conclude that your organisation is in breach of the GDPR. In that case, they will consider the best enforcement action against your business.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

ICO’s Enforcement Powers

If the ICO find that your business has failed to follow data protection rules, it has several possible enforcement options. These include:

  • asking you to perform a remedial action to avoid future breaches;
  • mandating you to develop a performance improvement plan to demonstrate intent to prevent future mistakes; or
  • issuing a fine of up to £17.5m or 4% of your annual turnover (whichever is higher).

In severe circumstances, the ICO may provide more than one of the above enforcement options.  However, when considering which enforcement power is best, it will consider all mitigating circumstances.

Mitigating Circumstances

The ICO aims to help businesses handle data safely rather than unduly punish them. Therefore, it will always consider remedial action for minor breaches. Additionally, when considering appropriate enforcement action, the ICO will also account for:

  • your business making a genuine effort to follow data protection rules;
  • the extent of harm to the individual;
  • whether your organisation has appointed a data protection officer
  • whether this is the first offence; and
  • whether you provide staff training and have written policies to encourage good data handling by staff.

What If I Receive a Fine?

Outside of exceptional circumstances, most penalties are in the thousands and depend on the seriousness of the breach. For example, the ICO will award a much smaller fine to a small business that accidentally discloses the home addresses of its ten employees online compared to an international company that leaks 1000 employee addresses.  This is because the harm to the public (and employees) is more significant as many more individuals are affected by the breach.

Key Takeaways

The ICO website provides the weapons to avoid enforcement action through its written guides on data protection. A helpful example is the ICO Employment Practices Code which can guide you through the best handling of staff information. However, while the ICO will consider mitigating circumstances and genuine effort to comply with the GDPR, it retains the discretion to fine non-compliant businesses. 

If you need help with data protection rules and ICO investigations into alleged breaches of data protection rules, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Should my company be aware of any other data protection legislation?

Your business is bound by the rules within the Data Protection Act. Fortunately, this overlaps with the GDPR, so you should ensure compliance by following the ICO’s GDPR guidance on their website.

How common are monetary penalties?

Unless your business can prove mitigating circumstances or show that the breach was minor, the ICO will strongly consider a monetary penalty notice. While the ICO aims to educate companies, they also have an enforcement role.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Does My Business Need a Cybersecurity Policy?

How Does GDPR Affect My Business?

Four Benefits of Your Company in England Having a Data Protection Officer

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times