Table of Contents
Data protection laws in the UK state that your business must safely handle, store and distribute personal data and sensitive information. The Information Commissioner’s Office (ICO) is the independent supervisory authority which ensures your business complies with data protection law. It can investigate alleged breaches of data protection laws such as the GDPR and issue your organisation a hefty fine. This article will explain when the Information Commissioner’s Office may investigate your company for breaching data protection law. This will help you to take appropriate action to avoid an investigation and potential enforcement action, which can include substantial fines from the ICO.
ICO’s Role
One of the primary purposes of the ICO is to act when your business fails to do any of the following:
- provide quick responses to Subject Access Requests (SARs);
- correctly handle personal data of staff, customers or third parties;
- limit staff monitoring in the workplace to a reasonable level;
- correctly store, amend and delete employee records and data;
- avoid non-disclosure of personal information outside your business without the consent of that person (except for legal reasons); and
- report serious personal data breaches to the ICO within 72 hours.
When your company acts in a way that fails to meet any of the above requirements, it risks triggering an ICO investigation which could ultimately lead to a fine.
ICO Investigations
The ICO may start an investigation to audit your company. But, more commonly, it will begin an investigation following an individual lodging an online complaint against your organisation.
The most common ICO complaints against companies include the following:
- failure to correctly handle a Subject Access Request (otherwise known as a SAR) in breach of the GDPR;
- unreasonable monitoring of employees at work;
- using sensitive personal information without consent or lawful purpose; and
- failing to report a serious personal data breach to the ICO within 72 hours.
When the ICO carry out an investigation, it will:
- contact you to inform you of their concerns and any alleged breach of GDPR rules;
- ask you questions to aid their investigation;
- potentially ask for specific data from you; and
- conclude their investigation by deciding whether your business has breached data protection rules.
If they decide that your company has committed a data protection breach, they will determine whether to provide your business with a penalty notice.
LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Mitigating Circumstances
The ICO wants to help and encourage your company to process data safely, so do not wish to provide unnecessary fines when a lesser sanction could have the same effect. Therefore, the ICO may issue a direction to take remedial action for a minor breach rather than automatically awarding you a fine. For example, remedial action might include your business implementing company policies to avoid future data breaches.
The ICO will treat the following as mitigating circumstances:
- your business making a genuine effort to follow data protection rules (including any appointment of a Data Protection Officer);
- where your company has not committed a breach or received a fine before;
- when you have provided staff training and have written policies to encourage good data handling by staff; and
- whether the actual harm to individuals (known as data subjects) was minor.
Penalty Notice Cost
The largest fine the ICO can award you is £17.5m (or 4% of your annual global turnover). This maximum penalty is intentionally high to deter companies, like yours, from breaching data protection laws.
However, in reality, the ICO will grade different data protection breaches differently depending on their seriousness. So, for example, they will award a minor fine for unlawful disclosure of ten individuals’ home addresses outside the company than a leaked document on the internet containing the full names, home addresses, dates of birth and medical information of 1,000 employees. This is because the breach is much more severe due to the inclusion of such sensitive information, increasing the risk to those individuals of identity theft.
Guarding Against ICO Fines
You must have complete knowledge of the data protection requirements that apply to your company to guard against receiving an ICO fine. Thankfully, the ICO website contains several handy, easy-to-read guides on handling Subject Access Requests to when to report a personal data breach to the ICO.
Key Takeaways
Your business must comply with data protection laws such as the GDPR. You must ensure that you handle and store data correctly. Otherwise, you will likely face an investigation by the ICO. This could result in a fine, though you may receive a less severe sanction if you can demonstrate you made genuine efforts to comply with your data obligations.
If you need help with data protection rules and ICO investigations into an alleged breach of the GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Yes, the ICO will contain relevant mitigating circumstances, including a genuine intent to follow data protection rules.
The ICO considers your business to ‘process’ data when it stores, records, discloses, retrieves, alters or deletes the information. Given how broad this definition is, it is easy to see how easily the ICO can become involved in any alleged breach of data protection law.
We appreciate your feedback – your submission has been successfully received.