Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.
With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.
The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.
The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.
When undergoing an ICO data protection assessment, an organization can expect that the ICO will focus on determining how an organization (1) obtains and maintains personal data, (2) ensures the confidentiality, integrity, and availability of the data, (3) retrieves and uses personal data, (4) discloses personal data to third parties, and (5) “weeds and destroys” personal data. The ICO is also likely to examine physical and IT-related security measures, including how personal data is stored and disposed of. As part of an assessment, the ICO may also assert its right to conduct one-on-one interviews with staff and contractors of the controller or processor, as well as with staff of relevant third-party service providers. If the ICO determines that specific correcting action is required, it will issue an enforcement notice that will state the action an organization will be required to take, the specifics of the action to be taken, and the deadlines. The ICO may also decide to issue a penalty notice, depending on the nature, gravity, and duration of any breach of legislation, the intentional character of the failure, any mitigating action taken by the organization, history of previous failures, the degree of cooperation in the assessment, the categories of personal data affected by the failure, the number of affected individuals, and other relevant factors.
The ICO will determine the amount of any discretionary penalty through the following mechanism:
Step 1. Remove any financial gain from the breach.
Step 2. Censure the breach based on its scale and severity, taking into account the considerations identified in Clause 152(2)-(4) of the DPA.
Step 3. Reflect any aggravating factors.
Step 4. Add in an amount to deter other potential violators.
Step 5. Reduce the amount (except for the amount in Step 1) to reflect any mitigating factors.
Under Clause 155 of the DPA, the ICO will also be able to issue fixed penalties for any type of failure to comply with the legislation. The amount of fixed penalty for large organizations is £4,000, which the ICO can increase to statutory maximum of £4,350 depending on aggravating factors. Any penalties under the DPA would be in addition to the GDPR penalties of up to £17 million (€20 million), or 4% of an organization’s annual global turnover.