Following on from our first blog post which gives a 101 guide and background to the EU GDPR (which if you haven’t read it – you can do so here), this blog post explains the role of the Information Commissioner’s Office (ICO).

Who are the ICO?

The ICO is an independent UK Supervisory Authority, who in July 2016 appointed Elizabeth Denham as the Information Commissioner.  The ICO promotes openness of official information and protection of private information, and their role is to uphold the information rights in the public interest. Each country within European Union has a Supervisory Authority, and even though the UK opted to leave, they will still remain as the Supervisory Authority for the UK.

Why do I need to know about the ICO?

If you are a Data Controller, then you are required to register with the ICO. Businesses will have to report data breaches that pose a risk to individuals to the ICO, and in some cases to the individuals affected. If you’re contacted by the ICO as a result of a complaint or data breach, then you are required to show the policies, procedures and processes and preventative measures employed by your company.

If you are an individual (a “data subject”) then the ICO is the Supervisory Authority you report a concern to about the way your privacy is being managed by an organisation. They do publish on their website details of any cases that have resulted in action taken, for public oversight and as a public authority their need to be transparent over that action.

If you are a Data Processor, the GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

What Powers do the ICO have?

If a complaint from an individual (data subject) is upheld, the ICO have the power to issue the fines as quoted in the media of up to €20m or 4% of the guilty company’s global annual turnover (whichever is the greatest).  An article on The Register by John Leyden on  28th April 2017 reports that analysis by NCC Group showed that fines from the Information Commissioner’s Office against UK companies last year would have been £69m rather than the £850,500 if the pending General Data Protection Regulation had been applied (source:

Given the magnitude of the EU General Data Protection Regulation (GDPR), it is almost inevitable that the ICO will continue to publish details of any action they’ve taken against companies where individuals (“data subjects”) have raised concerns. Their strategic approach (as detailed in their 2017-2021 Strategic Plan) states their commitment to:

  • lead the implementation and effective oversight of the GDPR and other live data protection reforms
  • explore innovative and technologically agile ways of protecting privacy
  • strengthen transparency and accountability and promote good information governance; and protect the public in a digital world.

If the companies named are of interest to the public, then rest assured that the media will also report on these actions too.  DOING NOTHING IS NOT AN OPTION!

Contact us today to find out about our staff training and consultancy options to help you prepare for compliance with the EU GDPR.

Our next blog post talks about some of the EU GDPR definitions and terminology you should become familiar with, which you can read here.


Comments are closed.