The Role of the Information Commissioner’s Office (ICO) in Relation to the GDPR

The Information Commissioner’s Office (ICO) is the independent regulatory office in charge of upholding information rights in the interest of the public. The organisation covers the following:

• Data Protection Act
• Freedom of Information Act
• Privacy and Electronic Communications Regulations (PECR)
• Environmental Information Regulations
• INSPIRE Regulations
• The re-use of Public Sector Information Regulations

What does the ICO do?

Under the Data Protection Act 1998, all organisations that process personal information must register with the ICO, who publish the names and addresses of the data controllers. They also include a description of the type of processing each organisation performs. If your organisation processes personal data, failure to register with the ICO is against the law.

Complaints procedure

Every year, the ICO receives tens of thousands of complaints, enquiries and written concerns. Part of their role is to improve information rights practices for organisations, which is done by reviewing and investigating issues raised by the public. Each concern is recorded and in some cases, the ICO will collect data on similar problems or other issues associated with the organisation when deciding on the best solution.

Actions

The ICO issues monetary penalties of up to £500,000 to those who have broken the Data Protection Act 1998 or breached the terms of the Privacy and Electronic Communications Regulations (PECR). Serious breaches will be met with direct action and failure to comply with the law might lead to enforcement action.

The ICO serves assessment notices to organisations that aren’t willing to work harmoniously with the ICO and are at risk of breaching the Data Protection Act. The office is also responsible for appeals made under the Environmental Information Regulations 2004.

International responsibilities

As well as carrying out duties in the UK, the ICO also co-operates with international data protection authorities, including the European Commission. This co-operation involves:

• Sharing information
• Investigation of complaints
• Working alongside partners to improve understanding of data protection laws and provide guidance where necessary

In the EU, the ICO works across all areas, including police and judicial co-operation, justice and freedom, and security. The ICO is part of the Article 29 Working Party, which represents each of the 28 EU data protection authorities, as well as Iceland, Liechtenstein and Norway.

How does the ICO support the GDPR?

The European Parliament, Council and European Commission’s aim for the General Data Protection Regulation is to unify data protection, making it more robust and secure for people within the European Union.

Elizabeth Denham, UK Information Commissioner, acknowledges that many people still question how GDPR will fit in with the UK leaving the EU. But she stresses that it’s still important to comply with GDPR. The ICO will work alongside the government to remain central in conversations about UK data protection law in the future and provide advice where necessary.

Following a survey published in 2017, the ICO produced its first piece of guidance to help explain to organisations how they can comply with the existing Data Protection Act in addition to the GDPR. The survey revealed that only one in four people trust businesses to handle their information.

With this data in mind, the new code of practice outlines how companies should explain to customers how their information is being used. But the guidelines warn business leaders that they need to be transparent with their customers if they want to regain their trust and see success in the digital economy post-Brexit.

Need help getting your business ready for the GDPR? Find all the information you need in our resources collection including training.