GDPR in practice: ICO enforcement powers

The potential for high fines under the GDPR has attracted considerable publicity but in practice the Information Commissioner's Office (ICO) has many more enforcement tools available. These can be found in the Data Protection Act 2018 (DPA).

The DPA gives the ICO power to issue four types of notice:

  • information notices (s.142)
  • assessment notices (s.146)
  • enforcement notices (s.149) and
  • penalty notices (s.155).

Information notices

An information notice requires a controller or a processor to provide information that the commissioner reasonably requires to carry out their functions.

It can also require "any person" to provide information reasonably required for the purpose of investigating a range of compliance failures or for determining whether the personal or household processing exemption applies.

Law firms in particular should note that there is no general exemption for legally privileged or confidential material.

There are restrictions in relation to information in respect of communications between a professional legal adviser and the adviser's client in connection with legal advice about obligations, liabilities and rights under data protection legislation.

There are corresponding protections for communications in connection with and for the purpose of proceedings under such legislation. Similar restrictions apply in relation to assessment notices.

Assessment notices

An assessment notice gives the ICO exceptional powers. It may require a controller or processor to allow the ICO to enter premises, be directed to documents and equipment, examine them, be given copies and explanations, observe processing and interview staff.

Enforcement notices

Enforcement notices can be issued where the ICO is satisfied that one of four types of compliance failure are occurring. Failures relating to monitoring bodies and certification providers will not affect law firms.

Where a solicitor or a law firm acting as a controller (or, exceptionally, as a processor) fails to comply with the main provisions of the GDPR or fails to comply with regulations governing charges payable to the commissioner, they could be issued with an enforcement notice.

An enforcement notice will require you to take specified steps, to refrain from taking specified steps, or both.

Penalty notices

Penalty notices may be issued in respect of the same compliance failures on the part of controllers or processors that can attract an enforcement notice.

Responding to enforcement action by the ICO

You may wish to consider your proposed response to enforcement action by the ICO - particularly its powers to take urgent action. For example, some organisations have designated response teams as part of their general contingency planning.

The ICO has published a Regulatory Action Policy in order to enable organisations to be able to predict how the ICO will exercise its functions in connection with information notices, assessment notices, enforcement notices and penalty notices.

The ICO will consider each case on its merits but also acknowledges that 'as a general principle, the more serious, high-impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action'.

You can appeal to the First-tier Tribunal (General Regulatory Chamber) against:

  • an information notice
  • an assessment notice
  • an enforcement notice
  • a penalty notice
  • a penalty variation notice

Appeals must generally be brought within 28 days.