Information Commissioner's Office
The ICO is the independent supervisory authority for data protection in the UK. Their mission is to uphold information rights for the public in the digital age. Their vision for data protection is to increase the confidence that the public have in organisations that process personal data.
They offer advice and guidance, promote good practice, monitor and investigate breach reports, monitor compliance, conduct audits and advisory visits, consider complaints and take enforcement action where appropriate. Their enforcement powers are set out in Part 6 of the DPA 2018.
They have also introduced initiatives such as the Sandbox to support organisations using personal data to develop innovative products and services.
Where the provisions of this code overlap with other regulators, they will work with them to ensure a consistent and co-ordinated response.
How does the ICO monitor compliance?
We use this code in our work to assess the compliance of controllers through our audit programme and other activities.
Our approach is to encourage compliance. Where we do find issues, we take fair, proportionate and timely regulatory action to guarantee that individuals’ information rights are properly protected.
How does the ICO deal with complaints?
If someone raises a concern with us about your data sharing, we will record and consider their complaint.
We will take this code into account when considering whether you have complied with the UK GDPR or DPA 2018, particularly when considering questions of fairness, lawfulness, transparency and accountability.
We will assess your initial response to the complaint, and we may contact you to ask some questions and give you a further opportunity to explain your position. We may also ask for details of your policies and procedures, your DPIA, and other relevant documentation. We expect you to be accountable for how you meet your obligations under the legislation, so you should make sure that when you initially respond to complaints from data subjects you do so with a full and detailed explanation about how you use their personal data and how you comply.
If we consider that you have failed (or are failing) to comply with the GDPR or the DPA 2018, we have the power to take enforcement action. We may require you to take steps to bring your operations into compliance or we may decide to fine you, or both.
However, it should be noted that the ICO prefers to work with organisations to find a resolution. Organisations that recognise and take ownership for the correction of shortcomings through the development of a performance improvement plan can avoid formal enforcement action.
What are the ICO’s enforcement powers?
We have various powers to take action for a breach of the UK GDPR or DPA 2018.
Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.
In line with our regulatory action policy, we take a risk-based approach to enforcement. Our aim is to create an environment within which, on the one hand, data subjects are protected, while ensuring that organisations are able to operate and innovate efficiently in the digital age. We will be as robust as we need to be in upholding the law, while ensuring that enterprise is not constrained by red tape, or by concern that sanctions will be used disproportionately. The ICO focuses the use of its enforcement powers on cases involving reckless or deliberate harms, and is therefore unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation. Nor does it seek to penalise organisations where a member of staff has made a genuine mistake when acting in good faith and in the public interest; for example in an emergency situation, or to protect someone’s safety.
In an emergency situation, as previously explained, our approach will be proportionate.
The GDPR:
Defines the rights of individuals in the digital age
Outlines the obligations of those processing data
Establishes methods for ensuring compliance
Sets sanctions for those who breach the rules
The GDPR requires organizations to:
Maintain a Record of Processing Activities (RoPA)
Follow strict rules called "data protection principles"
Ensure personal data is used fairly, lawfully, and transparently
Ensure personal data is used for specified, explicit purposes
Ensure personal data is accurate and kept up to date
Ensure personal data is kept for no longer than is necessary
Ensure personal data is handled in a secure way
In the UK, the Information Commissioner's Office (ICO) is responsible for enforcing the GDPR. The ICO provides advice and guidance to organizations and individuals, and has published a lot of helpful guidance on its website.
Yes, you need to register with the Information Commissioner's Office (ICO) and pay a data protection fee if you are a business, organization, or sole trader that processes personal data, unless you are exempt:
Who needs to register
You need to register if you have CCTV, perform accountancy, auditing, debt administration, credit referencing, insolvency, or administration of justice. Landlords who process personal data for tenancy agreements, credit checks, or references are also required to register.
How to register
You can register and pay the fee online. You will need to provide details such as your name, address, trading name, turnover, credit/debit card details, and number of employees.
How much to pay
The fee depends on the size of the business and turnover, and can range from £40 to £2,900 per year. You need to renew the fee each year.
What happens if you don't register
If you don't register, you could face a fixed penalty of up to £4,000. It could also impact your reputation.
You can check the ICO website to see if you need to register.
ICO helpline
0303 123 1113
