Longer Reads

UK Information Commissioner introduces new approach to enforcement

The Information Commissioner’s Office (ICO) announced they would be changing their approach to data breaches committed by public bodies.

2 minute read

Published 27 May 2023

Authors

Share

Key information

  • Sectors
  • Digital

Following Brexit, the General Data Protection Regulation (GDPR) no longer has direct effect in the UK. In its place, a UK version of GDPR was introduced under the Data Protection Act 2018. The wording of the UK law is for most purposes a mirror image of the EU GDPR. However, the interpretation of the law in the UK is not bound by EU decisions, and the approach of the UK Information Commissioner differs in a number of respects from the approach taken in various EU countries and regions.

A new UK Information Commissioner, John Edwards, was appointed in January 2022. Following a period of consultation with businesses, organisations and the public, the Information Commissioner’s Office (ICO) announced they would be changing their approach to data breaches committed by public bodies.

The new approach to enforcement sits within the ICO’s new three-year strategy – ICO25 – which focuses on “Empowering you through information.” The key objectives are to:

1. Safeguard and empower people
2. Empower responsible innovation and sustainable economic growth
3. Promote openness, transparency and accountability; and
4. Continuously develop the ICO’s culture, capability and capacity

It is noticeable that, both before and after the introduction of UK GDPR, a lot of the enforcement actions, including fines, were taken against national and local government bodies, National Heath trusts and other public institutions. In many cases fines were imposed to punish and deter persistent breaches of data protection laws.

The ICO’s new enforcement strategy will be defined by transparency, proportionality, and accountability. The idea is to “regulate for outcomes”. A “graduated” response to non-compliance will take account of the circumstances of the specific breach and any mitigating steps taken. The ICO will draw on its wider powers including warnings, reprimands, compliance orders and bans on processing before resorting to fines.

While fines have been “headline-grabbing”, they have given rise to concerns about the funding structures for public bodies. Fines are paid out from the monies available for the provision of services to the public, so higher fines mean a reduction in service provision. There is also limited evidence that fines are an effective deterrent in the long-term.

Instead, the ICO would like to use other enforcement measures as a way of correcting bad practice through education, and a means to build cooperation and trust.

Another change is to the degree of publicity that the ICO’s enforcement measures will be given. Until now only the more serious measures, including fines, have been published on the ICO website. In November 2022 it was announced that retroactively from January 2022, the ICO will be publishing all reprimands that it issues, alongside enforcement notices and fines. The published information will include the name of the organisation, the duration of the infringement, and the scale and number of data subjects affected.

The strategic objective is to focus on the work done by the ICO behind the scenes, principally, disseminating information such as lessons learnt and best practice.

The new Commissioner believes that publishing reprimands will provide greater accountability (as victims of data breaches have the right to know the bodies are being held to account, and that practices have changed), and that the information will also be of relevance and significance to the rest of the economy. Greater certainty and a more predicable approach to enforcement will lead to more flexibility and innovation, and the increased transparency should provide a greater degree of security to the public, encouraging more confidence in sharing personal data.

Fines will still be used in the most severe cases, particularly where harm was or may have been caused to a person, or where the organisation profited from the non-compliance.

This increased focus on transparency will provide more information for individuals who suffer loss and damage as a result of a data breach to decide whether to pursue claims. Whether the newly published information can be used as evidence of breach of the UK GDPR and the basis of legal action, is yet to be assessed.

For more information, visit our Data Protection Lawyers page.

This article was first published on 26 May 2023 by ECTA.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Longer Reads

UK Information Commissioner introduces new approach to enforcement

The Information Commissioner’s Office (ICO) announced they would be changing their approach to data breaches committed by public bodies.

Published 27 May 2023

Associated sectors / services

Authors

Following Brexit, the General Data Protection Regulation (GDPR) no longer has direct effect in the UK. In its place, a UK version of GDPR was introduced under the Data Protection Act 2018. The wording of the UK law is for most purposes a mirror image of the EU GDPR. However, the interpretation of the law in the UK is not bound by EU decisions, and the approach of the UK Information Commissioner differs in a number of respects from the approach taken in various EU countries and regions.

A new UK Information Commissioner, John Edwards, was appointed in January 2022. Following a period of consultation with businesses, organisations and the public, the Information Commissioner’s Office (ICO) announced they would be changing their approach to data breaches committed by public bodies.

The new approach to enforcement sits within the ICO’s new three-year strategy – ICO25 – which focuses on “Empowering you through information.” The key objectives are to:

1. Safeguard and empower people
2. Empower responsible innovation and sustainable economic growth
3. Promote openness, transparency and accountability; and
4. Continuously develop the ICO’s culture, capability and capacity

It is noticeable that, both before and after the introduction of UK GDPR, a lot of the enforcement actions, including fines, were taken against national and local government bodies, National Heath trusts and other public institutions. In many cases fines were imposed to punish and deter persistent breaches of data protection laws.

The ICO’s new enforcement strategy will be defined by transparency, proportionality, and accountability. The idea is to “regulate for outcomes”. A “graduated” response to non-compliance will take account of the circumstances of the specific breach and any mitigating steps taken. The ICO will draw on its wider powers including warnings, reprimands, compliance orders and bans on processing before resorting to fines.

While fines have been “headline-grabbing”, they have given rise to concerns about the funding structures for public bodies. Fines are paid out from the monies available for the provision of services to the public, so higher fines mean a reduction in service provision. There is also limited evidence that fines are an effective deterrent in the long-term.

Instead, the ICO would like to use other enforcement measures as a way of correcting bad practice through education, and a means to build cooperation and trust.

Another change is to the degree of publicity that the ICO’s enforcement measures will be given. Until now only the more serious measures, including fines, have been published on the ICO website. In November 2022 it was announced that retroactively from January 2022, the ICO will be publishing all reprimands that it issues, alongside enforcement notices and fines. The published information will include the name of the organisation, the duration of the infringement, and the scale and number of data subjects affected.

The strategic objective is to focus on the work done by the ICO behind the scenes, principally, disseminating information such as lessons learnt and best practice.

The new Commissioner believes that publishing reprimands will provide greater accountability (as victims of data breaches have the right to know the bodies are being held to account, and that practices have changed), and that the information will also be of relevance and significance to the rest of the economy. Greater certainty and a more predicable approach to enforcement will lead to more flexibility and innovation, and the increased transparency should provide a greater degree of security to the public, encouraging more confidence in sharing personal data.

Fines will still be used in the most severe cases, particularly where harm was or may have been caused to a person, or where the organisation profited from the non-compliance.

This increased focus on transparency will provide more information for individuals who suffer loss and damage as a result of a data breach to decide whether to pursue claims. Whether the newly published information can be used as evidence of breach of the UK GDPR and the basis of legal action, is yet to be assessed.

For more information, visit our Data Protection Lawyers page.

This article was first published on 26 May 2023 by ECTA.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close