Enforcement

At a glance

The ICO empowers people and organisations through information. The law recognises that responsible direct marketing brings benefits and our focus is on helping you carry out direct marketing in a compliant way.

We have powers to protect people if there has been a breach of data protection or PECR laws. We always use these in a targeted and proportionate way.

What is the role of the ICO?

The ICO exists to empower you through information:

We empower you as a member of the public to confidently contribute to a thriving society and sustainable economy.
We empower your organisation to plan, invest, responsibly innovate and grow.
We empower you by promoting openness and transparency by public bodies.
We empower you to hold us to account for the difference we make when enforcing the laws we oversee.

Our focus is on compliance with data protection and e-privacy legislation in the UK. The Information Commissioner is the independent supervisory authority for data protection law and PECR in the UK. In particular, in the context of this guidance, we help organisations to carry out direct marketing in a compliant way.

Where the provisions of this guidance overlap with other regulators, we will work with them to ensure a consistent and co-ordinated response.

How does the ICO deal with complaints?

If someone raises a concern with us about the way you have handled their information in the context of direct marketing, we will record and consider their complaint. We will take this guidance into account when considering your compliance. We will assess your initial response to the complaint, and we may ask you some questions and give you a further opportunity to explain your position. We expect you to be accountable for how you meet your data protection obligations. Therefore, you should make sure that you give a full and detailed explanation about how you use their information and how you comply, when you initially respond to complaints from people.

The ICO prefers to work with organisations to find a resolution. You may avoid formal enforcement action if you recognise and take ownership of the correction of any data protection shortcomings by developing a performance improvement plan.

In terms of PECR, we encourage people to report their concerns to us as we use this information to monitor compliance and decide where to take enforcement action. We will also take this guidance into account when we consider if your direct marketing complies with PECR.

If we consider that you have failed (or are failing) to comply with data protection law or PECR, we have the power to take enforcement action. This may require you to take steps to bring your operations into compliance or we may decide to fine you, or both.

What are the ICO’s enforcement powers?

We have various powers to take action for a breach of data protection law or PECR.

Tools at our disposal for infringements include:

assessment notices;
warnings;
reprimands;
enforcement notices; and
penalty notices (administrative fines).

For serious infringements of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

We have several ways of taking action to change the behaviour of anyone who breaches PECR. These include criminal prosecution and non-criminal enforcement. Currently, we can also serve a monetary penalty notice imposing a fine of up to £500,000 that we can issue against the organisation or its directors. These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.

Any action taken against you, and the level of fine imposed, will be determined by which regime you have infringed. These powers are set out in detail on the ICO website (see the further reading box).

We take a risk-based, effective, proportionate approach to enforcement. Our aim is to create an environment within which people are protected, while supporting organisations to ensure they can operate and innovate efficiently in the digital age. We will be as robust as we need to be in upholding the law, while ensuring that enterprise is not constrained by red tape, or by concern that sanctions will be used disproportionately.

The ICO seeks to maximise our impact. For example, by focusing our enforcement powers on high-risk areas or circumstances where non-compliance could do the most harm and taking action on cases involving reckless or deliberate harms. The ICO is therefore unlikely to take enforcement action against an organisation that was genuinely seeking to comply and had taken reasonable steps to comply with the provisions of the legislation.