The ICO has published a draft Regulatory Action Policy (“Policy”) on 28 June 2018 available here, supplementing its Information Rights Strategic Plan for 2017-2021 (here) and International Strategy for 2017-2021 (here). This Policy provides an overview of how and to what extent the ICO will use its newly expanded regulatory enforcement powers provided by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”).

The Policy will be subject to Parliamentary consideration and approval before coming into effect. This is anticipated in the first half of the year and the Secondary Legislation Scrutiny Committee has listed the Policy in its Instrument of Interest.[1]

The key highlights of the Policy are summarised below.

ICO Enforcement Powers:

Amongst other helpful points, the draft Regulatory Action Policy clearly sets out the powers of the ICO, including to:

  • conduct assessments of compliance with the data protection legislation, PECR, e-IDAS, NIS, FOIA and EIR;
  • apply for a court order requiring compliance with an information notice issued under the DPA;
  • conduct assessments of cross-border data transfers and corporate groups’ binding corporate rules;
  • oversee data protection impact assessments;
  • conduct audits and assessments under the IPA and other information rights legislation;
  • oversee the establishment of data protection certification mechanisms;
  • encourage development of codes of conduct, and accrediting bodies to monitor compliance with codes of conduct;
  • require a data controller or digital service provider to inform an individual of a personal data breach;
  • issue a warning where proposed action threatens non-compliance with data protection legislation;
  • issue practice recommendations and decision notices under FOIA and EIR;
  • issue a reprimand for infringements of relevant data protection legislation;
  • certify contempt of court should an authority fail to comply with an information notice, decision notice or enforcement notice under FOIA and EIR;
  • administer fines by way of penalty notices in the circumstances set out in clause 155 of the DPA;
  • issue codes of practice required under the legislation covered by the ICO;
  • administer fixed penalties for failing to meet specific obligations (e.g. a failure to pay the relevant fee to the ICO); and/or
  • prosecute criminal offences before the courts.

Further to the above, the ICO may issue the following notices:

Information Notices A formal request for a controller, processor or individual to provide information to the ICO, assisting them with an investigation. An “urgent” information notice requires controllers or processors to provide information within 24 hours.
Assessment Notices A notice issued by the ICO to a data controller or data processor to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. For example, a notice may require the data controller or data processor to give the ICO access to premises and specified documentation and equipment. An “urgent” “no-notice” or “short” notice assessment notice can also be issued where necessary.
Enforcement Notices A request for an individual or organisation to take specific actions to resolve breaches (including potential breaches) of data protection legislation and other information rights obligations. An “urgent” enforcement notice requires action to be taken within 24 hours.
Penalty Notices Sanctions for a breach of information rights or legislation. Penalty Notices will generally be reserved for the most serious cases, involving willful, deliberate or negligent acts, or repeated breaches of information rights obligations.

Factors Considered by the ICO

When deciding the most appropriate regulatory action to take, the ICO will consider several mitigating and aggravating factors, such as the:

  • Nature and seriousness of the breach or potential breach
  • Categories of personal data affected
  • Number of individuals affected
  • Whether the issue raises new or repeated issues
  • Duration of the breach or potential breach
  • Potential harm and level of intrusion caused by the breach
  • Possibility for the breach to be repeated
  • Mitigation costs and public interest
  • Action taken by other enforcement authorities
  • Whether there is indication of conduct being willful, intentional, negligent, or unlawful
  • Adherence to the advice or guidance of the ICO and/or the Data Protection Officer
  • Action taken to mitigate or minimize damage to the affected individuals
  • Adherence to a code of conduct
  • Prior regulatory history
  • Vulnerability of affected individuals
  • Manner in which the ICO was notified of the issue (such as self-reporting)
  • Financial benefits to the organization from the breach


The ICO have pointed towards a regulatory space for individuals and organisations (against whom the ICO is considering taking enforcement action) to make “representations”. This opportunity for an organisation to comment on the ICO’s regulatory action is likely only to be applicable where the enforcement is at the upper end of the scale and appropriate to do so. However, it represents an ICO commitment to, where appropriate, allow organisations to mitigate enforcement action through “representations”.

International and Inter-Regulatory Cooperation

Where a case includes cross-border information flows, the ICO will liaise with supervisory authorities outside of the UK in line with its International Strategy. This will assist the ICO in determining the type of regulatory response and assist with investigations. The ICO will also cooperate with other authorities within the UK, such as the National Cyber Security Centre, other NIS Directive competent authorities, law enforcement, sector regulators, and consumer regulators. This aims at minimizing burdens on controllers in assisting with investigations, such as information requests.

Annex included in the previous version

Interestingly, between the 4 May and 28 June 2018 the Information Commissioner’s Officer (“ICO”) launched a draft version of the Policy for consultation (available here). In this previous version of the policy the ICO set out key priorities for 2018- 2019 in an Annex.

These priorities were:

  1. Large scale data and cyber security breaches involving financial or sensitive information
  2. AI, big data and automated decision making
  3. Web and cross device tracking for marketing (including for political purposes)
  4. Privacy impacts for children (including Internet of Things connected toys and social media / marketing apps aimed at children)
  5. Facial recognition technology applications
  6. Credit reference agencies and data broking
  7. Use and sharing of law enforcement data, including intelligence systems
  8. Right to be forgotten/erasure applications

However, following the consultation, the ICO removed the Annex from the draft Regulatory Action Policy.

Where does this leave the ICO’s Priorities?

Despite not including the Annex in the current version of the policy document the ICO included a hierarchy of regulatory action in their draft Regulatory Policy. This hierarchy emphasises that:

Breaches involving novel or invasive technology, or a high degree of intrusion into the privacy of individuals, without having done a full Data Protection Impact Assessment and taken appropriate mitigating action and/or which should have been reported to the ICO21 but was not, can also expect to attract regulatory attention at the upper end of the scale.”

Additionally, the ICO has published the following strategies and plans:

These provide insight into the ICO’s priorities for the coming years. Broadly speaking, these strategies and plans, do echo to a large extent, the priorities in the Annex subsequently removed from the draft Regulatory Action Policy.

Next Steps:

The Policy will be subject to Parliamentary consideration and approval before coming into effect in line with s160 DPA.

Once the Regulatory Action Policy is approved, it will be published on the ICO’s website and subject to regular review. The Policy will be updated to reflect changes to e-Privacy and relevant considerations once the final Brexit settlement has been confirmed.

[1] Secondary Legislation Scrutiny Committee Fortieth Report, 13 September 2018,