The new approach to regulatory and enforcement action adopted by the UK Information Commissioner’s office (ICO) looks set to continue in 2023. The ICO has indicated recently that it is modifying its attitude towards regulatory action in respect of public sector organisations. It has also noted that enforcement does not necessarily equate to fines, but includes various other “corrective powers,” including warnings, reprimands, compliance orders, limitation orders, erasure of data and suspension of data flows.
Going forward, the ICO intends to regulate for outcomes rather than outputs, observing that the number or level of fines should not be used as a yardstick by which to judge the ICO’s success and that achieving preferential outcomes and publicising these may have a more significant impact on UK citizens’ rights than monetary penalties might achieve.
The ICO’s view is that imposing fines on public authorities can, in effect, penalise the victims of UK GDPR non-compliance by reducing the monies available to deliver public services, which is of little social benefit in times of economic crisis. In central Government, fines can create a “money-go-round” and are ineffective in delivering the ICO’s desired outcomes. Having said that, monetary penalties will remain an important regulatory tool which will be utilised in cases where breaches have harmed or could harm individuals the most, or where organisations have profited from non-compliance.
Another key difference is that, generally, all reprimands issued by the ICO will now be published.
This change is motivated by the understanding that, by educating others, the ICO can drive behavioural change in compliance and the requirement for better accountability. The rest of the economy should be informed about applicable data protection law infringements and what action is taken. When monetary penalties are considered for public authorities but reprimands are issued instead, the ICO will confirm the amount of the proposed fine to warn other organisations of the likely level of monetary penalties that could be imposed.
The ICO is aiming to achieve greater certainty regarding the nature and extent of organisations’ data protection obligations and to provide a predictable and well-publicised approach to enforcement. This is intended to encourage flexibility and increased innovation.
It will be interesting to see what impact the ICO’s new approach (which appears to be being adopted to differing extents by various European regulators also) has in practice on driving data protection compliance across both the public and private sectors. Data controllers should note, however, that various different enforcement measures may be imposed upon them, which may have significant implications, albeit in a different way to monetary penalties. While fines may hit revenue figures, orders to stop processing, erase certain data, or to stop transferring data may have far-reaching implications for the business model. Public reprimands may also expose organisations to significant reputational risks. Organisations should also consider different potential outcomes and planning for change before any ICO investigations conclude, as corrective orders will come with a (relatively short) timeframe for implementation, following which further action, possibly fines, may follow.