The Information Commissioner’s Office (ICO)

The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO is responsible for:

• Promoting good practice in handling personal data and giving advice and guidance on data protection.
• Ensure data controllers pay the appropriate data protection fee and provide and update basic information about their firm.
• Helping to resolve disputes by deciding whether it is likely or unlikely that an organisation has complied with the GDPR when processing personal data.
• Taking action to enforce compliance with GDPR, where appropriate.
• Bringing prosecutions for offences committed under GDPR (except in Scotland, where the Procurator Fiscal brings prosecutions).

Under GDPR data controllers must pay the ICO a data protection fee unless they are exempt. The new data protection fee replaces the requirement to ‘notify’ or (register) under the DPA. Since all firms hold responsibilities under GDPR, the ICO requires less information than was required under the DPA.

Data controllers must provide:

• The name and address of the controller
• The number of members of staff the firm has
• The turnover for the financial year
• Any other trading names the firm has
• Contact details for the person completing the fee registration process and the Data Protection Officer (if the firm is required to have a member of staff with that particular designation under GDPR).

Actions

The ICO issues monetary penalties of up to £500,000 to those who have broken the Data Protection Act 1998 or breached the terms of the Privacy and Electronic Communications Regulations (PECR). Serious breaches will be met with direct action and failure to comply with the law might lead to enforcement action.

The ICO serves assessment notices to organisations that aren’t willing to work harmoniously with the ICO and are at risk of breaching the Data Protection Act. The office is also responsible for appeals made under the Environmental Information Regulations 2004.

International responsibilities

As well as carrying out duties in the UK, the ICO also co-operates with international data protection authorities, including the European Commission. This co-operation involves:

• Sharing information
• Investigation of complaints
• Working alongside partners to improve understanding of data protection laws and provide guidance where necessary

In the EU, the ICO works across all areas, including police and judicial co-operation, justice and freedom, and security. The ICO is part of the Article 29 Working Party, which represents each of the 28 EU data protection authorities, as well as Iceland, Liechtenstein and Norway.

How does the ICO support the GDPR?

The European Parliament, Council and European Commission’s aim for the General Data Protection Regulation is to unify data protection, making it more robust and secure for people within the European Union.

Elizabeth Denham, UK Information Commissioner, acknowledges that many people still question how GDPR will fit in with the UK leaving the EU. But she stresses that it’s still important to comply with GDPR. The ICO will work alongside the government to remain central in conversations about UK data protection law in the future and provide advice where necessary.