How the ICO proposes to regulate and enforce data protection legislation

The Information Commissioner’s Office in the UK (the “ICO”) last week published, for consultation, draft statutory guidance setting out how it will regulate and enforce data protection legislation in the UK. The consultation sets out all of the ICO’s key powers (including information notices, assessment notices, enforcement notices and penalty notices).

The consultation briefly discusses the treatment of privileged material. Perhaps most interestingly for organisations, it also sets out for the first time the ICO’s approach to how it calculates fines under the GDPR, giving organisations a better sense of the level of fine to which they could be subject for GDPR non-compliance.

This consultation will be of interest to banks and financial institutions, already subject to attention from the financial services regulators in this space, who may find themselves facing not only parallel inquiries and information requirements, but separate sanctions. The consultation does not explicitly discuss the possibility of “double jeopardy”, although it stresses that the proportionality of any action and its economic impact will be relevant considerations in assessing penalty.

The ICO and the Financial Conduct Authority (the “FCA”) signed a Memorandum of Understanding ("MoU") in February 2019 updated in light of the GDPR. In addition to continuing the existing cooperation between the ICO and the FCA through the exchange of information, and determining which of the two bodies is best placed to lead investigations of mutual interest, the MoU:

• agrees that in case of a major incident of mutual interest at an FCA regulated firm, both will work together in line with agreed incident protocol to secure best customer outcomes and ensure incidents are dealt with in a coordinated and efficient way;
• notes that where an investigation is to be carried out by both regulators, both investigations will usually proceed in parallel, although they will consider whether the particular circumstances suggest that one investigation should proceed before the other; and
• notes that if a decision is made by either to take action against a subject, they should consider whether it is possible and would be appropriate to co-ordinate publication of applicable enforcement announcements (so that both parties publish the outcome of their investigations simultaneously).

For a fuller summary of the consultation, see our Data Notes on "How to calculate a GDPR fine – the proposed ICO way". Responses to the ICO's consultation are required by 5pm on Thursday 12 November 2020.