Draft guidance from data protection regulator sheds new light on how it proposes to approach enforcement

On 31 October, the Information Commissioner’s Office (ICO) opened a consultation on a new draft document titled data protection enforcement procedural guidance. The draft offers useful insights into how the ICO plans to exercise its monitoring and enforcement powers in future. This article takes a look at the nature of those powers and how the ICO proposes to exercise them. It will be of interest to organisations that are subject to UK data protection laws (which can include those based outside the UK).  

The ICO’s powers

The draft guidance contains a useful summary of the ICO’s powers under UK data protection law, paraphrased below:

• Requiring you to provide information and documents
• Conducting assessments of compliance with data protection legislation, including by entering your premises and requiring reports by approved persons
• Requiring individuals to attend interviews and answer questions
• Entering and inspecting premises under warrant
• Giving a warning if your processing operations are likely to infringe data protection legislation
• Giving a reprimand if your processing operations have infringed data protection legislation
• Giving an enforcement notice to you to take appropriate steps to remedy an infringement
• Imposing a fine by giving a penalty notice

At a high level, how does it exercise those powers? 

The draft guidance reminds us that when deciding how to exercise its powers, the ICO must take into account its primary objective, which is to:

• Secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest
• Promote public trust and confidence in the processing of personal data

Using resources in an efficient and cost effective way

The draft guidance recognises that the ICO has limited resources, noting that “we cannot open investigations into every complaint or personal data breach report we receive, and it would not be proportionate to do so.”

They say that they “monitor trends in complaints and personal data breach reports to help identify particular areas of concern and allow us to focus on issues posing the greatest risk of harm.” (NB the ICO has published a data protection harms taxonomy, which explains what kind of data protection breach is regarded as causing the ‘greatest risk of harm’). 

Forms of ICO monitoring and enforcement action, and how they can escalate

1. Information gathering

The ICO has a range of information gathering powers under the Data Protection Act 2018. These powers include:

• Issuing information notices 
  
  Information notices are requests for information and documents to assess whether you are complying with data protection law. Generally: 
  • Information notices will not be made public
  • You'll have 28 days to respond
  • It will be in your best interests to respond to the information notice in a complete, timely and accurate manner
    
    
• Issuing an assessment notice 
  
  This is an ICO request to enter your premises and inspect documents, information etc. (and, if needed, to request the preparation of reports) to assess whether you are complying with data protection law. Generally:
  • Assessment notices will not be made public
  • It will be in your best interests to co-operate with an assessment notice
    
    
• Issuing an interview notice
  
  An interview notice is a formal written request to an individual to attend an interview with the ICO at an appointed place and time, and answer questions relevant to an ICO investigation. Generally:
  • Interview notices will not be made public
  • It will be in your best interest to co-operate with an interview notice
    
    
• Powers of entry and inspection
  
  The ICO can apply to the courts for a warrant to enter and inspect your premises, although this power is unlikely to be used often in practice.  

2. Warnings

The ICO may issue a warning if it considers that a data controller or processor is about to commence some form of data processing that would infringe data protection legislation. They have this to say on the effect of warnings: 

“A warning is not binding and does not require a controller or processor to refrain from proceeding with its intended processing operations. However, if the controller or processor still commences the relevant processing operations in a way that we consider infringes data protection legislation, we may regard its failure to take into account the warning as an aggravating factor when we are considering what, if any, steps to take."

Generally:

• The ICO will make a public announcement when it gives a warning by publishing a statement on its website. They 'may' also issue a statement to the media. 
• It will be in your best interests to pause until you have determined whether the ICO is correct in its warning that your planned data processing may breach data protection laws. 

3. Reprimands

The draft guidance says that reprimands are “a finding that the controller or processor has infringed data protection legislation, but it does not impose any legally binding obligations. Consequently, we generally give reprimands about less serious infringements of data protection legislation.”

Generally:

• You'll get a ‘notice of intent’ before the ICO issues you with a reprimand.
• You'll get an opportunity to make ‘written representations’ to the ICO (eg about why you do not deserve to be reprimanded).
• Any notice of intent should be responded to in 21 days.
• If it decides to issue a reprimand, the ICO will typically make a public announcement by publishing a statement on its website (as well as a copy of the reprimand). It ‘may’ also issue a statement to the media. 

4. Enforcement notices

The draft guidance says that if the ICO decides “that a controller or processor has infringed, or is continuing to infringe, data protection legislation, we may give it with an enforcement notice. An enforcement notice specifies the steps we require it to take, or refrain from taking, to comply with data protection legislation."

It goes on to say that:

"In considering whether to give an enforcement notice and what requirements it is appropriate to impose, we take into account the extent that doing so is likely to be: (i) effective in remedying the infringement and (ii) reasonable and proportionate in the circumstances of the case… If we consider that a potential requirement is unlikely to be effective in remedying the infringement or mitigating the damage or distress, it is unlikely to be appropriate.”

Generally:

• You'd get a ‘preliminary enforcement notice’ as a first step.
• You'd get 21 days to respond to that notice.
• You'll get an opportunity to make ‘written representations’ to the ICO (eg about why you don’t deserve an enforcement notice).  
• Enforcement notices will be made public on the ICO’s website (unless they are only ‘preliminary’) and a statement to the media ‘may’ be issued.

5. Penalty notices (ie fines)

Leaving aside law enforcement and the intelligence services, the draft guidance reminds us that the ICO issues penalty notices for:

• Serious infringements of the UK GDPR
• Failures to comply with information notices, assessment notices, or enforcement notices (all discussed above)

Before issuing a penalty notice, the ICO must first issue a ‘notice of intent.’

Generally:

• A ‘notice of intent’ to issue a penalty notice will not be announced publicly.
• You get 21 days to respond to the notice of intent.
• You'll get an opportunity to make ‘written representations’ to the ICO (eg about why you don’t deserve a penalty notice).  

Penalty notices will ‘always’ be publicly announced, with the ICO also ‘likely' to issue a statement to the media. A copy of the penalty notice will also be published on the ICO website. 

Settlement: reduced fines in return for co-operation

The draft guidance describes settlement as “a voluntary process where a controller or processor under investigation admits that it has infringed the data protection legislation and confirms that it accepts that a streamlined administrative procedure will govern the remainder of [the ICO] investigation. If so, we impose a reduced fine on the controller or processor to reflect the early resolution of the case and resource savings involved.”

The draft guidance says that it considers settlement ‘may’ be appropriate where it has “sufficient basis to give a notice of intent to impose a penalty notice.”

The benefit of settling with the ICO is that it could mean your organisation would be eligible for a reduced fine, as set out below:

• 40% if a case is settled before the ICO gives a notice of intent
• 30% if a case is settled after the ICO gives a notice of intent but before it receives written representations
• 20% if a case is settled after the ICO gives a notice of intent and after it receives written representations

This last item appears on the generous side, as it appears to envisage a 20% discount even in circumstances where the organisation being issued with a penalty has done everything short of appeal the ICOs findings to a tribunal. 

Comment

We hope this potted summary of the ICO’s draft ‘procedural enforcement’ guidance is useful as a high level overview of the twists and turns that an ICO investigation can take.