4 May 2018
James Dipple-Johnstone explains our new regulatory powers and how we'll exercise them. Organisations and data protection professionals will find this information useful when responding to our consultation on our Regulatory Action Policy.
Our updated Regulatory Action Policy is out for consultation. As well as setting out the objectives that will guide the ICO as we take regulatory action, it presents our new powers and explains how we aim to use them.
The power to levy penalties of up to 4% of global turnover or £17 million, whichever is greater, has come through the General Data Protection Regulation (GDPR) but other powers will be introduced by the new Data Protection Bill currently before Parliament.
It’s been an incredibly busy time for our office with the new data protection laws coming into effect and as we work through our investigation into data analytics for political purposes — the largest investigation in our office’s history.
Over the last few months, it has become increasing clear that some of our powers are not fit for purpose for the challenging remit we have in the digital age. We have also realised that the powers under the GDPR, although enhanced, are not going to be sufficient either.
It’s useful to have the option of larger fines and sanctions under the GDPR, but unless we have the powers to move at pace and obtain the information and evidence to determine what’s happened, we will be hampered in our future ability to issue those fines or sanctions.
The data analytics investigation flagged up the real challenge, which has been how we can quickly secure the evidence needed to investigate the case.
Our powers to prosecute any failure to provide information, our ability to go to court to request a warrant to search a premises come from the UK’s domestic legislation, not the GDPR.
Government has responded positively by making amendments to the UK Data Protection Bill.
We’ve worked with government to strengthen our powers so we can issue information notices to individuals as well as organisations, we can issue urgent notices to be complied with within 24 hours. We have the ability to inspect and assess compliance without notice and it will be a criminal offence for an organisation to destroy or alter information we wish to pursue a warrant to remove. These powers will assist in the conclusion of this investigation and future investigations.
The powers will allow us to better tackle the challenges of securing evidence and investigating systems in situ – to see how personal data are actually being used and managed. We need to see these effects in short time periods in the context of fast moving investigations. For those of you interested in the details our draft Regulatory Action Policyis the place to start, you can also submit your comments by June 28 through our public consultation.