ICO sets priorities for regulatory action

In its draft Regulatory Action Policy, the ICO promises to continue its existing enforcement style based on education and encouraging compliance rather than being an overly strict enforcer. It says that it aims to ‘be effective, proportionate, dissuasive and consistent in our application of sanctions, targeting our most significant powers for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data; where formal regulatory action serves as an important deterrent to those who risk non-compliance with the law.’

As per the UK Data Protection Act 2018, an ‘urgent’ information notice may be used in appropriate cases to require a response in no less than 24 hours. If the recipient of an information notice does not provide a full and timely response, the ICO may apply for a court order requiring compliance with the information notice. An ‘urgent’ assessment notice may require access to non-domestic premises with less than 7 days’ notice, which in effect may allow the ICO to carry out a no-notice inspection.

When deciding on the level of fines, aggravating or mitigating factors will be taken into account, for example, the attitude and conduct of the individual or organisation concerned.

Read more about the ICO’s new inspection powers in the next issue of PL&B UK Report, due to be published on 20 July. Subscribe now here.

The ICO welcomes comments on its draft Regulatory Action Policy by 28 June.


There will be two speakers from the ICO at PL&B’s Conference in just over a week from now:

  • Judith Jones, Group Manager, Central Government Team, ICO on The new aspects of the Data Protection Act 2018 and how the Act relates to the GDPR
  • Nigel Houlden, Head of Technology, ICO, in sessions on Artificial Intelligence and Blockchain

Plus a presentation by Eduardo Ustaran, Partner, Hogan Lovells, UK: The first big fine: Who will get it and how to avoid it.