Out-Law News | 08 May 2018 | 4:47 pm | 2 min. read
The watchdog said it would "encourage and reward compliance" in the way it applies its regulatory powers under the General Data Protection Regulation (GDPR) and forthcoming new Data Protection Act.
The proposed regulatory action plan the ICO has published will also apply to a raft of other legislation that it is responsible for monitoring compliance with, including e-Privacy regulations and freedom of information laws.
The ICO said: "Those who self-report, who engage with us to resolve issues and who can demonstrate strong information rights accountability arrangements, can expect us to take these into account when deciding how to respond."
In its draft regulatory action plan, the ICO outlined the "range of measures" it could apply. They include "observation, intelligence gathering and monitoring", auditing, investigation and issuing of fines or other sanctions.
"As issues or patterns of issues escalate in frequency or severity then we will use more significant powers in response," the ICO said. "This does not mean however that we cannot use our most significant powers immediately in serious or high-risk cases where there is a direct need to protect the public from harm."
"We will consider each case on its merits and within the context of any compliance breach (or risk of such breach). However, as a general principle, the more serious, high-impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action. Breaches involving novel issues, technology, or a high degree of intrusion into the privacy of individuals can also expect to attract regulatory attention at the upper end of the scale," it said.
The ICO's draft policy explained how it will calculate the level of penalty to apply when businesses experience a data security breach, and when businesses can expect the fine to be high.
It said: "Generally, the amount will be higher where: vulnerable individuals or critical national infrastructure are affected; there has been deliberate action for financial or personal gain; advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon; there has been a high degree of intrusion into the privacy of a data subject; there has been a failure to cooperate with an ICO investigation or enforcement notice; and there is a pattern of poor regulatory history by the target of the investigation."
The ICO's proposals, which also contain a list of criteria that will shape how the watchdog uses its powers and prioritises its resources, and how it will apply powers to conduct on-site audits, are open to consultation until 28 June.
"The ICO’s approach is designed to help create an environment within which, on the one hand, data subjects are protected, while ensuring that, on the other hand, business is able to operate and innovate efficiently in the digital age," the ICO said. "We will be as robust as we need to be in upholding the law, whilst ensuring that commercial enterprise is not constrained by red tape, or concern that sanctions will be used disproportionately. We will work with others where it makes sense to do so, and where joint application of activity can achieve the best result and protection."