How the ICO measures GDPR compliance

Whenever someone mentions the GDPR (General Data Protection Regulation), one of the first things they discuss is the potential for huge fines that it brings.

But there’s no universal system for monitoring compliance and handing out fines. Rather, each EU member state elects a supervisory authority to take on that responsibility. In the UK, this is the ICO (Information Commissioner’s Office).

What is the ICO?

The ICO is a non-departmental public body that’s responsible for overseeing data protection laws in the UK. This includes the GDPR, the Freedom of Information Act and the PECR (Privacy and Electronic Communications Regulations).

Why would the ICO investigate your organisation?

There are several circumstances in which the ICO will investigate an organisation under the GDPR.

The first is when an organisation suffers a data breach. If the organisation followed the GDPR’s notification requirements, it will have reported the incident to the ICO within 72 hours of discovery. The ICO will use this information to assess what happened and where the organisation may be non-compliant. It will use this information to assess how rigorous its investigation needs to be.

If the organisation didn’t meet the GDPR’s notification requirements, things get a lot more serious. Data breaches rarely stay hidden for long, so the ICO will become aware of the incident sooner orlater, whether it’s alerted to it by a researcher or member of the public, or theincident otherwise becomes public knowledge.

The ICO is almost certainly going to treat the failure to report the incident as a sign that there are further areas of non-compliance. As such, it’s far more likely to launch a thorough investigation.

Investigations aren’t only a product of data breaches. An organisation can also be investigated when the ICO receives a complaint about its data processing practices. The ICO advises individuals to speak to the organisation directly before submitting a complaint, but if the two parties can’t come to an agreement, the ICO will get involved.

This might involve instructing the organisation to fulfil the individual’s request or ruling in favour of the organisation. However, if the complaint is serious, the ICO will investigate further.

The ICO’s enforcement powers

As with all GDPR supervisory authorities, the ICO can levy fines of up to €20 million (£18 million) or 4% of the organisation’s annual global turnover, whichever is greater.

Last year, Information Commissioner Elizabeth Denham wrote: “Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously.” 

What the ICO means by that remains to be seen, because it has not yet issued any penalties under the GDPR. However, most experts agree that the maximumpenalties will be reserved for egregious or repeated errors.

Denham added that “while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.”

The alternatives that she refers to are enforcementactions. These are measures the ICO takes to ensure the organisation becomes compliant. This often begins with a compliance audit, which the ICO uses to set short-term compliance goals that the organisation is expected to meet.

How can IT Governance help?

The complexities of the GDPR mean it’s essential for anyone who handles personal data to receive professional training. If not, they could easily find themselves accidentally violating the GDPR’s requirements and possibly causing a data breach.

You can avoid that fate by enrolling on our Certified EU GDPR Foundation Training Course.

Alternatively, contact us now for our GDPR audit service, and get independent, professional assurance that your data protection programme and practices comply with the GDPR and DPA. 

Find out more >>