How the Information Commissioners Office (ICO) Enforces: A New Strategic Approach to Regulatory Action

The National Association of Data Protection Officers (NADPO) held their annual conference, in November 2022. Information Commissioner John Edwards keynote speech was insightful and challenged some of the myths that have grown up around regulator enforcement.

Whilst his speech was concerned principally with the public sector there are lessons to be drawn for the private sector as well.

John Edwards is a highly experienced lawyer and data protection professional and was previously the New Zealand Privacy Commissioner, from 2014 until the end of 2021, when he became the UK’s Information Commissioner. He was also chairman of the Global Privacy Assembly for three years.

John Edwards’ first point was:

There’s nothing in the law or in contemporary regulatory theory that says that enforcement must equal fines. Enforcement happens across a spectrum. Rather than being one thing, it’s a series of graduated responses to non-compliance.”

He goes on to suggest that by the time an investigation is completed by the ICO, it is quite likely that the necessary steps will have been put in place by the organisation, in order to ensure that a similar personal data breach will not happen again.

He shared one of the main pillars of his philosophy of personal data protection regulation:

Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might… There’s very little evidence that fines on their own produce better outcomes for the people we’re protecting.”

John Edwards used the example of fining an NHS Trust for a personal data breach and argued that this further penalises those who the regulations are designed to protect by removing money from the budgets that deliver health services:

Monetary penalties remain an important regulatory tool, and we will use them in the instances where they are truly needed – for the breaches which cause or have the potential to cause the most harm to people, or where a business has profited from its non-compliance.”

He highlighted the recent case of catalogue retailer Easylife who were fined £130,000 for making predatory marketing calls. They were further fined £1.35m under UK GDPR for profiling their customers before illegally calling them. The company were making assumptions about people’s medical conditions– and then targeting them with products linked to those conditions without the data subjects consent. He concluded: “That’s an unacceptable use of people’s most sensitive information, and that’s when we take action.”

A further point in the keynote speech was a warning to those who believed a non-compliance issue would not become public.

Our website says that reprimands will not usually be published. That changes now. We will publish all reprimands going forward, including reprimands issued from January 2022 onwards, unless there is a good reason not to”.  

John Edwards’ approach is one of ‘bringing to life’ this arcane and technical world of data protection.

He goes on to say:

The greatest compliment I get is when someone says, ‘I was expecting a talk about personal data protection to be really boring, but I did not realise how relevant it was to my life!’”.

This is an approach CSRB applaud as it reflects our own view that making personal data protection accessible, engaging and relevant to all, is key to businesses taking the subject matter seriously.

We support organisations with understanding all the current UK privacy legislation and regulations, whilst making sure that you meet the expectations of the industry regulator, the ICO.

Please get in touch with us here or call 0117 325 0830 to learn more about how we can bring clarity to your information governance framework.

CSRB – The missing piece of your UK GDPR Puzzle!