People will have 14 weeks to comment on three documents, which are all designed to give direction and focus to the organisations it regulates.
The Regulatory Action Policy (RAP) updates the ICO’s 2018 policy and sets out the regulator’s general approach. It reinforces the ICO’s commitment to a proportionate and risk-based approach to enforcement, and it explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
It also sets out how the ICO promotes best practice and ensures compliance and how it works with other regulators.
The RAP covers all 11 pieces of legislation that the ICO is responsible for including the UK GDPR, Data Protection Act 2018, Freedom of Information Act and the Privacy and Electronic Communications Regulations which cover nuisance calls, texts and emails.
Statutory Guidance on our Regulatory Action focusses on the sections in DPA 2018 that specify the ICO’s legal obligations to publish guidance to help organisations navigate the law. It also explains how the ICO uses its statutory powers to investigate and enforce UK information rights legislation.
Statutory Guidance on our PECR Powers explains how the ICO uses its statutory powers to enforce the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focusses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law.
Taken together, these three documents set out how the ICO aims to carry out its mission to uphold information rights for the UK public in the digital age.
Chief Regulatory Officer James Dipple-Johnstone said:
“Information rights have never been more important or impactful. Now more than ever, we support innovation and economic growth, but both require the public to have trust in the way their personal information is used.
“We are focussed on promoting best practice and compliance but, where it is necessary, we will exercise a fair and proportionate approach to enforcement action.”
The ICO is inviting comments about how it exercises its regulatory responsibilities and statutory powers from individuals and organisations. Contributing views is easy through an online survey or via email. You can get more detailed information about the documents and how to feed back on the ICO website. Responses to the documents will be considered before final publication.
While the UK Government is considering changes to the current data protection regime, the ICO will continue to update its policies when it is both necessary and appropriate. The three documents, which are being consulted on, reflect the current regulatory landscape and are not time limited.
Publication of final documents, which is expected by the end of 2022, will be overseen by the new UK Information Commissioner. The Statutory Guidance documents must also be ratified by the Secretary of State for Digital, Culture, Media and Sport before being laid to Parliament.