UK: The ICO's New Year's Resolutions

Last Updated: 23 January 2019
Article by Asel Ibraimova

The ICO has published a draft Regulatory Action Policy ("Policy") on 28 June 2018 available here, supplementing its Information Rights Strategic Plan for 2017-2021 (here) and International Strategy for 2017-2021 (here). This Policy provides an overview of how and to what extent the ICO will use its newly expanded regulatory enforcement powers provided by the General Data Protection Regulation ("GDPR") and the Data Protection Act 2018 ("DPA").

The Policy will be subject to Parliamentary consideration and approval before coming into effect. This is anticipated in the first half of the year and the Secondary Legislation Scrutiny Committee has listed the Policy in its Instrument of Interest.1

The key highlights of the Policy are summarised below.

ICO Enforcement Powers:

Amongst other helpful points, the draft Regulatory Action Policy clearly sets out the powers of the ICO, including to:

  • conduct assessments of compliance with the data protection legislation, PECR, e-IDAS, NIS, FOIA and EIR;
  • apply for a court order requiring compliance with an information notice issued under the DPA;
  • conduct assessments of cross-border data transfers and corporate groups' binding corporate rules;
  • oversee data protection impact assessments;
  • conduct audits and assessments under the IPA and other information rights legislation;
  • oversee the establishment of data protection certification mechanisms;
  • encourage development of codes of conduct, and accrediting bodies to monitor compliance with codes of conduct;
  • require a data controller or digital service provider to inform an individual of a personal data breach;
  • issue a warning where proposed action threatens non-compliance with data protection legislation;
  • issue practice recommendations and decision notices under FOIA and EIR;
  • issue a reprimand for infringements of relevant data protection legislation;
  • certify contempt of court should an authority fail to comply with an information notice, decision notice or enforcement notice under FOIA and EIR;
  • administer fines by way of penalty notices in the circumstances set out in clause 155 of the DPA;
  • issue codes of practice required under the legislation covered by the ICO;
  • administer fixed penalties for failing to meet specific obligations (e.g. a failure to pay the relevant fee to the ICO); and/or
  • prosecute criminal offences before the courts.

Further to the above, the ICO may issue the following notices:

Information Notices

A formal request for a controller, processor or individual to provide information to the ICO, assisting them with an investigation. An "urgent" information notice requires controllers or processors to provide information within 24 hours.

Assessment Notices

A notice issued by the ICO to a data controller or data processor to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. For example, a notice may require the data controller or data processor to give the ICO access to premises and specified documentation and equipment. An "urgent" "no-notice" or "short" notice assessment notice can also be issued where necessary.

Enforcement Notices

A request for an individual or organisation to take specific actions to resolve breaches (including potential breaches) of data protection legislation and other information rights obligations. An "urgent" enforcement notice requires action to be taken within 24 hours.

Penalty Notices

Sanctions for a breach of information rights or legislation. Penalty Notices will generally be reserved for the most serious cases, involving willful, deliberate or negligent acts, or repeated breaches of information rights obligations.

Factors Considered by the ICO

When deciding the most appropriate regulatory action to take, the ICO will consider several mitigating and aggravating factors, such as the:

  • Nature and seriousness of the breach or potential breach
  • Categories of personal data affected
  • Number of individuals affected
  • Whether the issue raises new or repeated issues
  • Duration of the breach or potential breach
  • Potential harm and level of intrusion caused by the breach
  • Possibility for the breach to be repeated
  • Mitigation costs and public interest
  • Action taken by other enforcement authorities
  • Whether there is indication of conduct being willful, intentional, negligent, or unlawful
  • Adherence to the advice or guidance of the ICO and/or the Data Protection Officer
  • Action taken to mitigate or minimize damage to the affected individuals
  • Adherence to a code of conduct
  • Prior regulatory history
  • Vulnerability of affected individuals
  • Manner in which the ICO was notified of the issue (such as self-reporting)
  • Financial benefits to the organization from the breach


The ICO have pointed towards a regulatory space for individuals and organisations (against whom the ICO is considering taking enforcement action) to make "representations". This opportunity for an organisation to comment on the ICO's regulatory action is likely only to be applicable where the enforcement is at the upper end of the scale and appropriate to do so. However, it represents an ICO commitment to, where appropriate, allow organisations to mitigate enforcement action through "representations".

International and Inter-Regulatory Cooperation

Where a case includes cross-border information flows, the ICO will liaise with supervisory authorities outside of the UK in line with its International Strategy. This will assist the ICO in determining the type of regulatory response and assist with investigations. The ICO will also cooperate with other authorities within the UK, such as the National Cyber Security Centre, other NIS Directive competent authorities, law enforcement, sector regulators, and consumer regulators. This aims at minimizing burdens on controllers in assisting with investigations, such as information requests.

Annex included in the previous version

Interestingly, between the 4 May and 28 June 2018 the Information Commissioner's Officer ("ICO") launched a draft version of the Policy for consultation (available here). In this previous version of the policy the ICO set out key priorities for 2018- 2019 in an Annex.

These priorities were:

  1. Large scale data and cyber security breaches involving financial or sensitive information
  2. AI, big data and automated decision making
  3. Web and cross device tracking for marketing (including for political purposes)
  4. Privacy impacts for children (including Internet of Things connected toys and social media / marketing apps aimed at children)
  5. Facial recognition technology applications
  6. Credit reference agencies and data broking
  7. Use and sharing of law enforcement data, including intelligence systems
  8. Right to be forgotten/erasure applications

However, following the consultation, the ICO removed the Annex from the draft Regulatory Action Policy.

Where does this leave the ICO's Priorities?

Despite not including the Annex in the current version of the policy document the ICO included a hierarchy of regulatory action in their draft Regulatory Policy. This hierarchy emphasises that:

"Breaches involving novel or invasive technology, or a high degree of intrusion into the privacy of individuals, without having done a full Data Protection Impact Assessment and taken appropriate mitigating action and/or which should have been reported to the ICO21 but was not, can also expect to attract regulatory attention at the upper end of the scale."

Additionally, the ICO has published the following strategies and plans:

These provide insight into the ICO's priorities for the coming years. Broadly speaking, these strategies and plans, do echo to a large extent, the priorities in the Annex subsequently removed from the draft Regulatory Action Policy.

Next Steps:

The Policy will be subject to Parliamentary consideration and approval before coming into effect in line with s160 DPA.

Once the Regulatory Action Policy is approved, it will be published on the ICO's website and subject to regular review. The Policy will be updated to reflect changes to e-Privacy and relevant considerations once the final Brexit settlement has been confirmed.


1 Secondary Legislation Scrutiny Committee Fortieth Report, 13 September 2018,

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions