ICO Regulatory Plan
What has happened?
The Information Commissioner’s Office published in May its proposed regulatory action plan, which relates to its Information Rights Strategic Plan for 2017 to 2021 and will apply to all legislation that it is responsible for monitoring compliance with, including the GDPR and the ePrivacy Regulations/Privacy and Electronic Communications Regulations. The consultation document is available here.
In the plan, the ICO outlines the range of regulatory measures it could apply. They include observation, intelligence gathering and monitoring, auditing, issuing information requests, investigation and the issuing of fines or other sanctions, including warnings, reprimands and enforcement notices (the purpose of an enforcement notice is to mandate action, or to halt action, such as processing or a transfer, to bring about compliance with information rights and/or remedy a breach, and failure to comply with it invites further action, including the possibility of the ICO issuing a civil monetary penalty).
For the coming year, the ICO has identified the following areas as priorities for action:
- Large-scale data and cybersecurity breaches involving financial or sensitive information
- Artificial Intelligence, big data and automated decision- making
- Web and cross-device tracking for marketing (including for political purposes)
- Privacy impacts for children (including Internet of Things connected toys and social media /marketing apps aimed at children)
- Facial recognition technology applications
- Credit reference agencies and data broking
- Use and sharing of law enforcement data, including intelligence systems
- Right to be forgotten/erasure applications
Businesses committed to complying with data protection laws in the UK are less likely to face fines for breaching their legal obligations, according to the ICO, which has stated that it will “encourage and reward compliance” in the way it applies its regulatory powers under the GDPR and the forthcoming new Data Protection Act.
The ICO comments in the action plan that; “Those who self-report, who engage with us to resolve issues and who can demonstrate strong information rights accountability arrangements, can expect us to take these into account when deciding how to respond” and that “As issues or patterns of issues escalate in frequency or severity then we will use more significant powers in response,” adding that “This does not mean, however, that we cannot use our most significant powers immediately in serious or high-risk cases where there is a direct need to protect the public from harm. We will consider each case on its merits and within the context of any compliance breach (or risk of such breach). However, as a general principle, the more serious, high-impact, intentional, willful, neglectful or repeated breaches can expect stronger regulatory action. Breaches involving novel issues, technology, or a high degree of intrusion into the privacy of individuals can also expect to attract regulatory attention at the upper end of the scale”.
The ICO’s draft policy explains how it will calculate the level of penalty to apply when businesses experience a data security breach, and when businesses can expect the resulting fine to be high. In this regard, the ICO comments: “Generally, the amount will be higher where vulnerable individuals or critical national infrastructure are affected, there has been deliberate action for financial or personal gain, advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon, there has been a high degree of intrusion into the privacy of a data subject, there has been a failure to cooperate with an ICO investigation or enforcement notice and there is a pattern of poor regulatory history by the target of the investigation.”
The ICO’s proposals, which also contain a list of criteria that will shape how it uses its powers and prioritises its resources, and how it will apply its powers to conduct on-site audits, are open to consultation until 28 June. A survey relating to the action plan and located here and is available to be responded to.
How can Thistle help you?
Thistle will continue to keep this area under review and will issue further updates where necessary. Please contact Thistle if you need assistance in relation to any of these issues.