The General Data Protection Regulation (GDPR) is now in force.
Most organisations are on a journey towards compliance and are keen to know what to expect from the Information Commissioner’s Office (ICO) in terms of enforcement.
This article will look at the ICO’s Regulatory Action Policy, currently out for consultation, which describes the ICO’s approach to supporting and educating businesses towards compliance.
What can we expect from the ICO in terms of enforcing the GDPR?
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. It will remain focused on keeping pace with the rapidly evolving world of technology and increasing public confidence in how individuals’ data is used.
The ICO’s mission is to explore new ways of protecting privacy, promoting good information governance and strengthening transparency and accountability. This includes a specific commitment to be an effective and knowledgeable regulator for cyber-security issues.
The Regulatory Action Policy sits under this over-arching mission and sets out the ICO’s plans for using its powers to be a supportive regulator, using education to help achieve enforcement.
Will there be large fines for non-compliance?
The ICO has always preferred the carrot to the stick and Elizabeth Denham, the Information Commissioner, has confirmed in her blog that this approach will continue and that predictions of massive fines under the GDPR are wrong.
She does not deny that the importance of personal data warrants the imposition of heavy fines for serious breaches, but the ICO intends to impose financial penalties proportionately and judiciously.
In which cases are fines most likely to occur?
The ICO describes in the Regulatory Action Policy an approach which focuses on the areas of highest risk and most harm.
This approach is designed to balance the protection of data subjects on the one hand and the maintenance of a supportive business environment on the other, enabling innovation and efficiency in the digital age.
The ICO plans to be robust in upholding the law whilst ensuring that businesses are not constrained by red tape or a concern that sanctions will be used disproportionately.
Action will be taken jointly with other regulators (as is currently the case) where it makes sense to do so, and where joint application of activity can achieve the best result and protection.
And if there is a breach, what then?
The ICO will always use its most significant powers immediately in serious or high-risk cases where there is a direct need to protect the public from harm. However, as a general principle, the more serious, high-impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action. Breaches involving unprecedented issues, technology, or a high degree of intrusion into the privacy of individuals can also expect to attract serious regulatory attention. This would be something to consider when carrying out a privacy impact assessment.
The ICO will consider each case on its merits and adopt a selective approach to the action it takes. The following are examples of the criteria the ICO will consider in deciding how to respond to data breaches:
- the nature and seriousness of the breach or potential breach (including, for example, whether any critical national infrastructure or service is involved);
- where relevant, the categories of personal data affected (including whether any special categories of personal data are involved) and the level of any privacy intrusion;
- the number of individuals affected, the extent of any exposure to physical, financial or psychological harm, and, where it is an issue, the degree of intrusion into their privacy;
- whether the issue raises new or repeated issues, or concerns that technological security measures are not protecting the personal data;
- the gravity and duration of a breach or potential breach;
- whether the organisation or individual involved is representative of a sector or group, raising the possibility of similar issues arising again across that group or sector if not addressed;
- the cost of measures to mitigate any risk, issue or harm;
- the public interest in regulatory action being taken (for example, to provide an effective deterrent against future breaches or clarify or test an issue in dispute);
- whether another regulator, law enforcement bodies or competent authority is already taking (or has already taken) action in respect of the same matter; and
- in relevant cases, the expressed opinions of the European Data Protection Board.
Any relevant aggravating or mitigating factors will also form part of this process of consideration. Examples might include:
- whether the attitude and conduct of the individual or organisation concerned suggests an intentional, wilful or negligent approach to compliance or unlawful business or operating model;
- whether relevant advice, warnings, consultation feedback, conditions or guidance from the ICO and/or the Data Protection Officer has or has not been followed;
- any action taken by a relevant individual or organisation to mitigate or minimise any damage (including delay) suffered by individuals;
- whether the relevant individual or organisation is certified by an appropriate body or has followed/failed to follow an approved or statutory code of conduct;
- the relevant individual or organisation’s prior regulatory history, including pattern, number and type of complaints about the issue;
- the vulnerability, if any, of the individuals affected, in particular by virtue of their age or other protected characteristic under the Equality Act 2010;
- the state and nature of any protective or preventative measures and technology available, including by design;
- the manner in which the breach or issue became known to the ICO and, if relevant, to what extent the relevant individual or organisation notified the ICO of the breach or issue; and
- any financial (including budgetary) benefits gained or financial losses avoided by the relevant individual or organisation, directly or indirectly.
Rewarding compliance and innovation
The ICO will encourage and reward compliance. Those who self-report, who engage with the ICO to resolve issues and who can demonstrate strong information rights accountability arrangements can expect this to be taken into account if a breach occurs.
The ICO will provide opportunities for innovative products and, services or concepts to be tested with appropriate regulatory oversight and safeguards, so that innovation and development is not over-burdened.
Priorities in 2018 for the ICO
The ICO plans, each year, to identify a particular focus for its regulatory resource. For the coming year, the following areas will be the ICO’s priorities for action:
- Large scale data and cyber security breaches involving financial or sensitive information
- Artificial intelligence, big data and automated decision making
- Web and cross device tracking for marketing (including for political purposes)
- Privacy impacts for children (including Internet of Things connected toys and social media / marketing apps aimed at children)
- Facial recognition technology applications
- Credit reference agencies and data broking
- Use and sharing of law enforcement data, including intelligence systems
- Right to be forgotten/erasure applications
So where does this leave us if we have still have work to do to become GDPR compliant?
If your organisation is still on a continuing journey towards GDPR compliance you should carry on working towards making the necessary changes. As the Regulatory Action Policy shows, the key is to engage with the new regulation and take steps to ensure that the individuals whose personal data your organization uses understand why and how your organization uses their data, that their data is appropriately protected and that it is not inappropriately shared.
If you have questions we can help! Please contact Caroline Redhead on 01768 800855 or e-mail firstname.lastname@example.org.