By Patrick Wheeler, ECTA Data Committee Vice-Chair, Partner, Collyer Bristow LLP, UK (Assisted by Zoë Dekker, Trainee Solicitor, Collyer Bristow LLP, UK)

Following Brexit, the General Data Protection Regulation (GDPR) no longer has direct effect in the UK. In its place, a UK version of GDPR was introduced under the Data Protection Act 2018. The wording of the UK law is for most purposes a mirror image of the EU GDPR. However, the interpretation of the law in the UK is not bound by EU decisions, and the approach of the UK Information Commissioner differs in a number of respects from the approach taken in various EU countries and regions.

A new UK Information Commissioner, John Edwards, was appointed in January 2022. Following a period of consultation with businesses, organisations and the public, the Information Commissioner’s Office (ICO) announced they would be changing their approach to data breaches committed by public bodies.

The new approach to enforcement sits within the ICO’s new three-year strategy - ICO25 - which focuses on “Empowering you through information.” The key objectives are to:

1. Safeguard and empower people
2. Empower responsible innovation and sustainable economic growth
3. Promote openness, transparency and accountability; and
4. Continuously develop the ICO's culture, capability and capacity

It is noticeable that, both before and after the introduction of UK GDPR, a lot of the enforcement actions, including fines, were taken against national and local government bodies, National Heath trusts and other public institutions. In many cases fines were imposed to punish and deter persistent breaches of data protection laws.

The ICO’s new enforcement strategy will be defined by transparency, proportionality, and accountability. The idea is to “regulate for outcomes”. A “graduated” response to non-compliance will take account of the circumstances of the specific breach and any mitigating steps taken. The ICO will draw on its wider powers including warnings, reprimands, compliance orders and bans on processing before resorting to fines.

While fines have been “headline-grabbing”, they have given rise to concerns about the funding structures for public bodies. Fines are paid out from the monies available for the provision of services to the public, so higher fines mean a reduction in service provision. There is also limited evidence that fines are an effective deterrent in the long-term.

Instead, the ICO would like to use other enforcement measures as a way of correcting bad practice through education, and a means to build cooperation and trust.

Another change is to the degree of publicity that the ICO’s enforcement measures will be given. Until now only the more serious measures, including fines, have been published on the ICO website. In November 2022 it was announced that retroactively from January 2022, the ICO will be publishing all reprimands that it issues, alongside enforcement notices and fines. The published information will include the name of the organisation, the duration of the infringement, and the scale and number of data subjects affected.

The strategic objective is to focus on the work done by the ICO behind the scenes, principally, disseminating information such as lessons learnt and best practice.

The new Commissioner believes that publishing reprimands will provide greater accountability (as victims of data breaches have the right to know the bodies are being held to account, and that practices have changed), and that the information will also be of relevance and significance to the rest of the economy. Greater certainty and a more predicable approach to enforcement will lead to more flexibility and innovation, and the increased transparency should provide a greater degree of security to the public, encouraging more confidence in sharing personal data.

Fines will still be used in the most severe cases, particularly where harm was or may have been caused to a person, or where the organisation profited from the non-compliance.

This increased focus on transparency will provide more information for individuals who suffer loss and damage as a result of a data breach to decide whether to pursue claims. Whether the newly published information can be used as evidence of breach of the UK GDPR and the basis of legal action, is yet to be assessed.

-----

The views expressed are those of our members and not necessarily of ECTA as an association. The content has not been subjected to a verification process, the accuracy of the information contained in the article is responsibility of the author.