What is the Information Commissioner’s Office (ICO)?
Who is the Information Commissioner, what powers do they have, and how will the ICO enforce GDPR?
The Information Commissioner's Office (ICO) is the UK's data protection watchdog charged with enforcing a host of laws that regulate communications, networking and data protection, although the organisation is most renowned for its role in enforcing the EU's General Data Protection Regulation (GDPR). The ICO is tasked with making sure that businesses within the UK are compliant with strict data protection principles.
The regulator has a number of roles and responsibilities, including investigating organisations that have suffered data breaches, imposing penalties where appropriate, and generally auditing companies for their data collection and storage practices. The ICO also regularly publishes reports on the state of data protection in the UK, emerging threats to the landscape and updates to how it operates.
Before GDPR came into force, the ICO had the power to issue maximum fines of up to 500,000 to businesses that failed to comply with data protection principles under the Data Protection Act (DPA) 1998. This included any potential negligence when suffering a data breach. Now, however, the regulator has the power to issue organisations with fines of up to 20 million or 4% of the company's global annual turnover for failing to comply with GDPR. Fines of 10 million or 2% of the turnover can also be issued for failing to notify the ICO about a data breach.
A number of large organisations have felt the wrath of the ICO in recent years, with Uber, Equifax and Facebook are among the companies issued with maximum fines under the previous legislation. The prospect of massive fines under GDPR, however, have made businesses more alert to reporting incidents, with the watchdog revealing recently that companies were over-reporting data breaches, seemingly out of fear of being as compliant with the legislation as possible.
The history of the ICO
Since it was created more than 30 years ago, the UK's data regulator has existed in several iterations; shifting with time as its purpose and scope changed with society's technological, networking and data protection landscape.
It was initially led by Eric Howe, the first Data Protection Registrar, who enforced the first DPA from 1984, and set up a register of data users and computer bureaux. These were simpler times, and Howe's powers were restricted to accepting and rejecting applications for the register, removing members, and issuing notices to organisations to enforce compliance with the data protection principles.
His main responsibilities included raising public awareness of data protection, and encouraging industries to write codes of practice for good data hygiene. But Howe's influence became more significant in 1989 when he carried out eight prosecutions, two years after the DPA 1984 fully came into force, before retiring in 1994.
As the DPA 1998 was debated in parliament, the watchdog conducted an important self-audit of its role in an increasingly connected world and issued its first piece of guidance to organisations in light of the internet's rising use. The regulator changed its name from the Data Protection Registrar to the Data Protection Commissioner in 2000 to coincide with the DPA 1998 coming into force in the main.
Its remit then expanded in the following years to span several pieces of legislation, and it underwent a second rebranding in 2001, after which point it became known as the Information Commissioner's Office; gaining the added responsibility of overseeing Freedom of Information (FOI), and information rights.
In 2009, the ICO adopted a new mission statement around holding organisations to account over information rights and promoting data rights for individuals, before gaining new powers the following year to issue financial penalties.
Who is the Information Commissioner?
The ICO is led by the Information Commissioner, the organisation's most senior official appointed by the Crown to oversee the enforcement of data and information legislation and promote data rights across the UK.
The current incumbent, and fifth chief, is Elizabeth Denham, who has held the position of Information Commissioner since 2016 after succeeding Christopher Graham. She is perhaps the most significant post-holder since the role of Data Protection Registrar was first created in 1984 - taking charge during a highly turbulent and defining moment in history for managing data, and data protection rights.
Denham now oversees not just the regulator's enforcement of GDPR and the DPA 2018, which has enshrined GDPR into UK law, but she is charged with raising awareness of data rights among organisations and the wider public, as well as spearheading key investigations that will set historic precedents for how data protection cases are adjudicated. One such example is the investigation into the abuse of privacy rights, and the misuse of data in political campaigns. This led to a significant 200,000 fine levied against Aaron Banks and Vote.Leave in February this year.
With several powers at one's disposal to enforce legislation - spanning enforcement notices to fines - the Information Commissioner has an arsenal of tools to hold organisations and individuals to account. But the post-holder can also comment on and influence public policy; particularly on issues of public debate such as the ethics of facial recognition.
This is not a new responsibility for the Information Commissioner, however, with former Information Commissioner Richard Thomas, for example, who left the role in 2009, often intervening against mandatory ID cards, and at one stage warned against the dangers of the UK sleepwalking into a surveillance state.
What legislation does the ICO enforce?
The Information Commissioner oversees the enforcement of 11 separate pieces of legislation, including GDPR.
Beyond the DPA, the PECR and FOI Act are perhaps the most widely-encountered by businesses across the UK. But the ICO also oversees Environmental Information Regulations, Environmental Protection Public Sector Information Regulations, Investigatory Powers Act, Enterprise Act, the eIDAS Regulation, Re-use of Public Sector Information Regulations, and the Network and Information Systems Regulation.
Once the UK leaves the EU, the ICO will begin to enforce the Data Protection Act 2018 alongside GDPR, both of which will be consulted when it comes to issues of data misuse.
PECR sits alongside GDPR and the DPA and delivers specific privacy rights regarding electronic communications which is predominately deployed for marketing purposes. The regulation, which is derived from the EU's 2002 e-Privacy Directive, also covers cookies, keeping services secure, and safeguarding data that can be used to identify individuals - such as traffic and location data, and itemised billing.
What powers does the ICO have?
"We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR," Elizabeth Denham wrote towards the end of last year as the hype around the prospect of dizzying GDPR fines reached a fever pitch.
While the figure of 20 million (or 4% of global annual turnover; whichever is higher) has stolen headlines, the arsenal of tools at the ICO's disposal is broad. It's important to note that the regulator has given every indication that financial penalties are a last resort, and that it would rather work closely with organisations to help them become compliant.
When considering whether to take action, the ICO normally seeks to meet a series of objectives - including promoting future compliance, the need to be proactive in identifying emerging risks, and prioritising being "effective, proportionate, dissuasive and consistent" in applying sanctions.
Generally, the range of actions the ICO can take is incredibly broad. Beyond issuing fines, the regulator can conduct spot-checks of regulatory compliance, issue 'urgent' information notices, issue warnings, and even launch a prosecution. The ICO can also apply for court orders requiring compliance with a previously-issued information notice.
When deciding which measures to take, the ICO takes a selective and highly flexible approach to regulating an organisation, taking into account a wide range of factors. Action is generally taken on a case-by-case basis. An organisation's willingness to cooperate could play a big part in reducing the scope for harsh penalties, as well as previous compliance efforts, and other factors such as whether data protection impact assessments (DPIAs) have been conducted, the nature and gravity of the breach, harm caused, and efforts taken to mitigate any harm. Several aggravating and mitigating factors are also taken into account.
How will the ICO enforce GDPR?
All indications suggest the ICO will take a reasonable and reserved approach to enforce GDPR, and will only issue the maximum fines if entirely necessary to dissuade negligence or future non-compliance.
Despite having a reputation for being a conservative regulator, the ICO has not shied away from fining organisations that breach the law the maximum possible; slapping Facebook with a 500,000 fine for breaches of the DPA as part of its ongoing and wide-reaching probe into the alleged misuse of data in political campaigns. But, in Elizabeth Denham's own words "predictions of massive fines under the GDPR that simply scale up penalties we've issued under the Data Protection Act are nonsense."
Having said that, the organisation has issued two significant notices of intent to fine organisations under GDPR to date. BA was issued with a staggering 183 million fine in July, which was shortly followed with a 99 million fine levied against Marriott. These early penalties suggest the ICO, while flexible and collegiate with businesses, will take a hard stance when the largest organisations suffer significant data protection incidents.
Indeed, rather than looking to catch organisations out, so to speak, the ICO has introduced a number of resources to assist businesses in their ongoing compliance efforts. The ICO set up a phone line for small and medium-sized businesses (SMBs), for example, and has published a wide range of guidance on its website.
"We want companies to succeed," said Nigel Houlden, the ICO's head of technology policy at a Westminster eForum panel event in London in May. "The ICO is not the big bad wolf - we're not sitting there rubbing our hands together waiting for Friday (25 May) going, 'haha, we're going to fine you lots of money'. That's not what we're about, that's not what we want to be. We believe in education."
What can we expect from the ICO in the future?
Faced with arguably the greatest set of regulatory challenges in its history, the ICO has only this month unveiled a wide-reaching technology strategy that it hopes can allow itself to keep a firm grip on an ever-changing landscape.
This three-year strategy outlines several technology goals and priority areas for developing new thinking and involves the appointment of the organisation's first executive director for technology policy and innovation.
Its remit is fairly broad. Beyond educating staff on technological issues and ensuring businesses and the public are kept up-to-date on data protection risks, for instance, the ICO will also launch a 'regulatory sandbox' in which organisations can develop new tools and services with continuous guidance.
"Technology is driving changes to the societal, political, legal and business environment that the Information Commissioner's Office (ICO) needs to regulate," Information Commissioner Elizabeth Denham said of the new strategy.
"The most significant data protection risks to individuals are now driven by the use of new technologies. The risks are broad - from cyber-attacks to the growth of artificial intelligence and machine learning.
"The GDPR contains new provisions to better regulate the risks arising from technology, including data protection by design and data protection impact assessments.
"These advances need not come at the expense of data protection and privacy rights - the ICO's approach to technology will be underpinned by the concept that privacy and innovation are not mutually exclusive."
The ICO has also launched a regulatory sandbox, in which organisations can test products and services against data protection laws, with full cooperation and guidance available during the testing phase. This regulatory sandbox is currently in its beta stage.