The Information Commissioner’s Office (‘ICO’) announced, on 4 May 2018, that it had launched a consultation on its draft Regulatory Action Policy (‘the Draft Policy’) concerning its plans to regulate the Data Protection Bill 2017 (‘the Bill’), the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the Privacy and Electronic Communications Regulations 2003, the Freedom of Information Act 2000 and other related legislation.
James Dipple-Johnstone, Deputy Commissioner for Operations at the ICO, explained in a blog post, “The power to levy penalties of up to 4% of global turnover or £17 million, whichever is greater, has come through the GDPR but other powers will be introduced by the new Bill currently before Parliament. It is useful to have the option of larger fines and sanctions under the GDPR, but unless we have the powers to move at a pace and obtain the information and evidence to determine what has happened, we will be hampered in our future ability to issue those fines or sanctions. Our powers to prosecute any failure to provide information, our ability to go to court to request a warrant to search a premises come from the UK’s domestic legislation, not the GDPR.”
Regarding sanctions, the Draft Policy states that the ICO intends to be effective, proportionate, dissuasive and consistent in its application
Under the Draft Policy, the ICO’s regulatory activities will include conducting compliance assessments, issuing orders and warnings, producing codes of practice, overseeing Data Protection Impact Assessments and certification mechanisms, administering fines and fixed penalties, as well as prosecuting criminal offences before the courts. With respect to its activities, the Draft Policy highlights that the ICO aims to respond swiftly and effectively to data breaches, with a particular focus on those involving highly sensitive information, those adversely affecting large groups of individuals, and those impacting vulnerable individuals. Regarding sanctions, the Draft Policy states that the ICO intends to be effective, proportionate, dissuasive and consistent in its application, reserving the exercising of its most significant powers for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.
Dipple-Johnstone added, “We have the ability to inspect and assess compliance without notice and it will be a criminal offence for an organisation to destroy or alter information we wish to pursue a warrant to remove. These powers will assist in the conclusion of this investigation and future investigations. The powers will allow us to better tackle the challenges of securing evidence and investigating systems in situ – to see how personal data are actually being used and managed. We need to see these effects in short time periods in the context of fast moving investigations.”
The consultation closes on 28 June 2018, following which the revised Draft Policy will be subject to parliamentary consideration and final approval.
NIKOS PAPAGEORGIOU | Junior Privacy Analyst