22May

As the regulatory environment gets ever more stringent, companies need to be aware that simply demonstrating compliance with the requirements of their industry regulator, such as the Financial Conduct Authority or the Claims Management Regulator, is not in itself sufficient. Companies across all business sectors also need to comply with applicable data protection legislation and can expect to be subject to enforcement action if they break the law.

The powers available to the data protection regulator, the Information Commissioner’s Office (ICO), are summarised in a recent blog post by James Dipple-Johnstone, Deputy Commissioner for Operations at the ICO.

Most companies are aware that the introduction of new General Data Protection Regulation (GDPR) is just days away, however Mr Dipple-Johnstone said that it had also been “an incredibly busy time” for the ICO because of its well-publicised investigation into the use of data for political purposes, which he described as “the largest investigation in our office’s history.”

He made reference to the fact that the maximum fines under GDPR will be the higher of 4% of global turnover or €20 million (approximately £17 million). However, he added that:

“Over the last few months, it has become increasing clear that some of our powers are not fit for purpose for the challenging remit we have in the digital age. We have also realised that the powers under the GDPR, although enhanced, are not going to be sufficient either.”

To clarify his remarks, Mr Dipple-Johnstone explained that whilst the GDPR is a piece of European Union legislation, data protection laws enacted in the UK give his organisation the power to:

  • Prosecute organisations that fail to provide requested information
  • Go to court to obtain a warrant to search premises, allowing the ICO to carry out inspections without notice
  • Issue information notices to individuals as well as organisations
  • Require urgent information notices to be complied with within 24 hours

He added that future legislation will make it a criminal offence for an organisation to destroy or alter information that the ICO wishes to remove under a search warrant.

The ICO has issued a draft Regulatory Action Plan and invites comments on its content before June 28. One of the aims of the Plan is to ensure that the ICO takes “fair, proportionate and timely regulatory action with a view to guaranteeing that individuals’ information rights are properly protected.”

In deciding whether to take action, and in carrying out enforcement actions, the ICO’s principal objectives will be:

  • To respond to breaches of legislation, especially those involving highly sensitive information, or which affect large numbers of people, or have an impact on vulnerable individuals
  • To use its most significant powers against organisations and individuals suspected of repeated or wilful misconduct or serious failures to take steps to protect data
  • To support compliance in general, including the promotion of good practice and provision of advice on compliance issues
  • To identify and mitigate emerging risks associated with data protection, such as changes related to technological change
  • To work constructively with other regulators and interested parties

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article