The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

The ICO upholds information rights in the public interest. In the context of data sharing, our focus is to help you carry out data sharing in a compliant way.

We have various powers to take action for a breach of the GDPR or DPA 2018. We will always use our powers in a targeted and proportionate manner, in line with our regulatory action policy.

In more detail

What is the role of the ICO?

The ICO is the independent supervisory authority for data protection in the UK.

Our mission is to uphold information rights for the public in the digital age. Our vision for data protection is to increase the confidence that the public have in organisations that process personal data. We offer advice and guidance, promote good practice, monitor and investigate breach reports, monitor compliance, conduct audits and advisory visits, consider complaints and take enforcement action where appropriate. Our enforcement powers are set out in Part 6 of the DPA 2018.

We have also introduced initiatives such as the Sandbox to support organisations using personal data to develop innovative products and services.

Where the provisions of this code overlap with other regulators, we will work with them to ensure a consistent and co-ordinated response.

How does the ICO monitor compliance?

We use this code in our work to assess the compliance of controllers through our audit programme and other activities.

Our approach is to encourage compliance. Where we do find issues, we take fair, proportionate and timely regulatory action to guarantee that individuals’ information rights are properly protected.

How does the ICO deal with complaints?

If someone raises a concern with us about your data sharing, we will record and consider their complaint.

We will take this code into account when considering whether you have complied with the UK GDPR or DPA 2018, particularly when considering questions of fairness, lawfulness, transparency and accountability.

We will assess your initial response to the complaint, and we may contact you to ask some questions and give you a further opportunity to explain your position. We may also ask for details of your policies and procedures, your DPIA, and other relevant documentation. We expect you to be accountable for how you meet your obligations under the legislation, so you should make sure that when you initially respond to complaints from data subjects you do so with a full and detailed explanation about how you use their personal data and how you comply.

If we consider that you have failed (or are failing) to comply with the GDPR or the DPA 2018, we have the power to take enforcement action. We may require you to take steps to bring your operations into compliance or we may decide to fine you, or both.

However, it should be noted that the ICO prefers to work with organisations to find a resolution. Organisations that recognise and take ownership for the correction of shortcomings through the development of a performance improvement plan can avoid formal enforcement action.

What are the ICO’s enforcement powers?

We have various powers to take action for a breach of the UK GDPR or DPA 2018.

Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

In line with our regulatory action policy, we take a risk-based approach to enforcement. Our aim is to create an environment within which, on the one hand, data subjects are protected, while ensuring that organisations are able to operate and innovate efficiently in the digital age. We will be as robust as we need to be in upholding the law, while ensuring that enterprise is not constrained by red tape, or by concern that sanctions will be used disproportionately. The ICO focuses the use of its enforcement powers on cases involving reckless or deliberate harms, and is therefore unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation. Nor does it seek to penalise organisations where a member of staff has made a genuine mistake when acting in good faith and in the public interest; for example in an emergency situation, or to protect someone’s safety.

In an emergency situation, as previously explained, our approach will be proportionate.

These powers are set out in detail on the ICO website.