The Information Commissioner’s Office has launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK. The guidance is required by the Data Protection Act 2018. The document aims to support the ICO’s primary responsibility of ensuring compliance with the law, and explains the ICO’s powers, when it will use them and how it calculates fines. It sets out its risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of data protection law. The ICO’s focus is on the areas of highest risk and most harm and the principles it applies in exercising its powers.
The draft guidance aims to ensure that the rights and freedoms of individuals are protected, as well as seeking to provide assurance to business that the ICO will use its powers proportionately and consistently. The ICO says:
“the ICO’s approach is designed to help create an environment within which data subjects are protected, while ensuring business is able to operate and innovate efficiently in the digital age. We will be as robust as we need to in upholding the law, whilst ensuring that commercial enterprise is not constrained by red tape or concern that sanctions will be used disproportionately.”
The guidance sits alongside the Regulatory action policy, which sets out how the ICO regulates the other pieces of legislation it covers. The Regulatory action policy is currently under review. The data protection guidance will be published after the Brexit transition period ends, so it has been drafted accordingly.
The guidance seeks to:
- set out the nature of the ICO’s various statutory powers and to be clear and consistent about when and how it uses them;
- ensure that it takes fair, proportionate and timely regulatory action to guarantee that individuals’ information rights are properly protected; and
- assist delivery of the goals set out in its Information rights strategic plan and uphold information rights effectively for individuals in the digital age.
By issuing the guidance, the ICO says that it is:
- fulfilling its statutory obligation to provide guidance about to how it proposes to exercise its functions in connection with information, assessment, enforcement and penalty notices;
- providing guidance as to how it plans to secure that privileged communications which it obtains or has access to in the course of carrying out its functions are used or disclosed only so far as necessary for carrying out those functions, and to provide guidance in how it proposes to comply with restrictions and prohibitions on obtaining or having access to privileged communications which are imposed by an enactment; and
- fulfilling its statutory obligation to produce and publish a document specifying the amount of the penalty for a failure to pay the data protection fees required under section 137 of the DPA 2018.
The consultation ends on 12 November 2020.
