Data protection in the UK is regulated by the Information Commissioner’s Office (ICO). The ICO is a non-departmental public body and is responsible for upholding information rights legislation and providing guidance surrounding data protection.
The ICO receives thousands of complaints every year and each one of these is recorded and considered. In some cases, where a data breach has occurred, the complaints can be investigated and lead to potential action being taken, including fines.
The ICO has several actions it can take against organisations that breach legislation, particularly under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Fines
- The ICO has the authority to issue monetary penalties for breaches – and these can be up to £17.5 million or 4% of global turnover, whichever is higher, depending on the severity of the breach.
- The size of the fine depends on factors such as the nature of the breach, the organisation’s intent, and whether they took action to mitigate the impact.
Warnings and Reprimands
- For less severe breaches, the ICO might issue a warning or a reprimand, notifying an organisation of the breach to legislation and advising them to take corrective action.
- The action may be something such as ensuring staff are appopriately trained, implementing more appropriate policies and procedures, or conducting a thorough audit and providing proof of action on the recommendations.
Enforcement Notices
- The ICO can also issue an enforcement notice, which legally compels an organisation to take specific steps to comply with data protection regulations.
- This might include requirements to stop a specific processing activity or to make changes to practices, systems, or security measures. Failure to comply with an enforcement notice can lead to further fines or legal action.
The ICO can and often does publish details of a breach and the actions taken against an organisation, which could affect company reputation. This is usually part of a broader effort to raise awareness of non-compliance with data protection laws, acting as a deterrent and learning opportunity for other organisations.
So how can we improve data protection by learning from the recent ICO action taken?
Having robust security measures in place is absolutely vital to data protection. This could mean upgrading cyber security, implementing options such as multi-factor authentication or limiting personnel access to certain files, or it could mean physical security – monitoring visitor and guest access or increasing perimeter security measures. A physical security review can help ensure your organisation is prepared for, and secure against, threats to data protection.
Respond to Subject Access Requests adequately and in a timely manner. All SARs require a response within one calendar month under UK GDPR. Ensuring staff are suitably trained can ensure there are minimal delays in responding since staff will easily recognise and know how to respond to such requests.
Understand the options available within data protection and marketing. The legislation doesn’t prohibit utilising data for marketing purposes but there are limitations on what can be done. Arranging bespoke training for marketing teams can ensure they are aware of what can and can’t be done within their sector.
There are many more learnings that can be taken from the ICO’s action taken lists. If we can help with any data protection concerns, requests or training – please do get in touch.
