ICO publishes reprimands not just fines

January 2023

If you received a regulatory reprimand in 2022 it may now be in the public domain

Until now organisations only faced the limelight for data protection indiscretions if they received an enforcement notice or fine. Not so anymore, lesser mistakes could now be made public and risk reputational damage.

The ICO has announced it is publishing the details of all reprimands, including ongoing cases and those which don’t result in enforcement action. Details will only remain private if there’s a genuine reason not to publish, such as matters of national security or where publication could jeopardise an ongoing investigation.

The change is backdated to January 2022, which means we’re set to hear the details of twenty-eight reprimands issued last year on the ICO’s reprimands website page.

With any ICO enforcement action, organisations are expected to improve their data protection practices and the ICO routinely conduct follow ups to make sure their recommendations are properly implemented.

What impact will publishing reprimands have?

The impact is likely to be two-fold. There’s now more chance of negative publicity, but there’s also more opportunity to learn from the mistakes of others.

Any organisation which suffers a reportable data breach, or is investigated by ICO for other reasons, wants to avoid unnecessary publicity which could harm their brand image. But now organisations can no longer expect confidentiality, even if the ICO decides not to enforce a data breach or privacy violation.

With more information of this nature out in the public domain (even when there’s no fine or other enforcement action) those organisations are more open to potential reputational damage. Something we should all consider when evaluating privacy risks.

This increased transparency and detail of reprimands however will be incredibly useful for privacy and information security teams. We’ll be able to see where organisations were found wanting and what measures are needed to meet the ICO’s standards.

For example, how did Company A fail to fulfil Data Subject Access Requests? How did Company B manage to disclose personal data without authorisation? And most importantly what actions does the ICO recommend?

In theory at least, we should gain a better understanding of the ICO’s expectations in specific situations and what acceptable solutions look like, giving us more certainty.

For the general public, the change helps to provide information on about the ICO’s approach to regulating their information rights, so they become better informed to speak out about poor practices and raise complaints when appropriate.

ICO Commissioner, John Edwards summed up why they made this change:

‘Whatever regulatory action we take, whether it is a reprimand or a fine, its value goes far beyond the individual organisation. Every regulatory action must be a lesson learned by the rest of the economy and play a role in behaviour change.’

So the message is clear. The information is out there to help you learn the lessons. And if you suffer a reportable data breach or ICO investigation, you should not expect the details to remain confidential.

This move to publish reprimands comes alongside the ICO’s new approach to the public sector. Fines will only be issued to public sector organisations in the most serious of cases. The ICO wants to work more closely with public authorities, encouraging compliance with data protection law to prevent harms before they happen. The problem with fines, it the high the public purse and our essentially paid by the tax payer.


Data Protection Officers – should we appoint a DPO?

August 2020

I’m still regularly asked the question, ‘Do you think we should appoint a DPO?’.

GDPR introduced a requirement for certain organisations to appoint a Data Protection Officer. Their role is to advise the business on data protection requirements and obligations, monitor compliance and act as a contact point for individuals and data protection regulators (such as the ICO).

The role of a DPO has been well documented elsewhere, but what we find seems to cause most confusion are these questions:

  • Does my organisation need to appoint a DPO?
  • If not, would we be well-advised to appoint one anyway?
  • Can I outsource this role?

So, let’s work through these questions.

Which organisations need to appoint a DPO?

The requirements for organisations to appoint a DPO are clearly laid out on the ICO website and by other Supervisory Authorities in other jurisdictions, so we won’t repeat their advice here. But let’s pick out a few key points.

Firstly, you NEED to appoint a DPO if:

  • you are a public authority or body (except for courts acting in their judicial capacity); or
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

You should remember the requirements apply to both controllers and processors.

And if you don’t need to appoint DPO?

Even if your organisation is not obliged to appoint a DPO, you still need to make sure you have ‘sufficient staff and resources to meet the organisation’s obligations under the GDPR’. So, you need to give thought to how you will achieve this. For example who will…

  • train your staff on data protection & privacy?
  • advise your business functions on data protection obligations and good privacy practices?
  • ensure appropriate people (e.g. function heads) are held accountable for the processing conducted by their teams?
  • make sure any new processing, or changes to processing, are properly assessed?
  • create & maintain your Records of Processing Activities (RoPA)?
  • monitor compliance?
  • act as the liaison point for your staff, customers and others whose data you process, and for any queries / complaints from Regulators?

The conclusion some organisations have come to is to appoint a DPO, whether its strictly necessary or not. Whilst many organisations chose to create a new role, others chose to appoint an existing employee to the role. It’s important to take care their other duties don’t conflict with their obligations under the DPO role.

Others have chosen not to appoint a DPO but have made sure there is a person or team in the business responsible for data protection compliance, for example a Privacy Manager.

It is worth noting that if you do appoint a DPO, this is a unique role. The GDPR sets out specific tasks a DPO is responsible for and the organisation has a duty to support the DPO to help them to fulfil these responsibilities.  (See GDPR Articles 37-39)

For example, the DPO must be independent, an expert in data protection, be adequately resourced and report to the highest management level.

How about an outsourced DPO?

It’s become quite popular to outsource the DPO role to an external supplier – particularly for businesses which are subject to budget pressures, perhaps the result to COVID-19.

Outsourcing can be an efficient lower cost option, particularly for small to medium sized businesses, enabling them to bring in specialist resources on a retainer without the difficulties and expense of recruiting a permanent employee.

There are other benefits of outsourcing this role:

  • Clearly defined job function & boundaries
  • A qualified and experienced person (hopefully!) with access to other supporting resources
  • Independence – prevents the risk of conflict of interests which can plague internal resources, e.g. having to juggle DPO obligations alongside other duties.
  • Support is ‘on-tap’ when you receive a Subject Access Request or if you suffer a data breach
  • Access to third party templates, policies and processes
    Onsite or remote working.

The best option will very much depend on the size and nature of your business and the types of data you’re processing.