RAP (feat. statutory guidance): ICO releases draft enforcement strategy for consultation

In December 2021, the ICO released its revised draft Regulatory Action Policy (RAP); revised draft Statutory Guidance on Regulatory Action; and draft Statutory Guidance on PECR Powers, proposed to replace the ICO’s existing RAP and statutory guidance.

The 2021 draft RAP restates the ICO’s commitment to a risk-based enforcement approach, as set out in the current RAP (2018), but provides greater clarity and detail on what it takes into account when considering regulatory action. The 2021 draft RAP outlines how the ICO supports and enables innovation and growth for compliant organisations, and clarifies how the ICO prioritises its workload given limited resources and the ongoing impact of COVID-19.

Meanwhile, the revised draft Statutory Guidance on Regulatory Action sets out the factors taken into account by the ICO when considering whether to take enforcement action and what would be an effective and proportionate response to a breach of data privacy laws. The proposed aim of penalty notices remains the same as in the current RAP: “to ensure compliance with legislation and information rights obligations” (omitting the punitive focus of the 2020 draft guidance).

The revised draft guidance allows the ICO to bring enforcement action based on a broader range of circumstances (e.g. in response to low impact breaches affecting a high volume of individuals or involving ‘harm’ such as embarrassment). There are additional aggravating factors, with a notable focus on high-risk infringements involving a substantial level of privacy intrusion, novel or invasive tech, the processing of special category data or affecting critical national infrastructure. This is consistent with recent enforcement action against ‘high risk’ processing by Mermaids and HIV Scotland in 2021.

Additional mitigating factors include an organisation’s full cooperation with an investigation (by the ICO as well as organisations such as the NCSC), early notification, past compliance with relevant regulatory or security standards as well as proactive steps taken to ensure future compliance post-incident – a further reminder to data controllers of the importance of thorough responses, investigations and remedial actions. It is also worth noting the EDPB’s recently adopted Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, which provide practical examples of when to notify a data breach and “advisable measures” to take to mitigate cyber risk (see our post on the draft guidelines). Although EDPB guidelines are no longer binding on the UK, the ICO has noted that they remain a useful reference.

The 2021 draft guidance sets out nine steps for the ICO to determine the recommended penalty amount (an increase on the five set out in the current RAP). These include detail on, for example, the use of turnover to determine the starting range for a penalty (echoing the approach of the EDPB), the consideration of “relevant financial circumstances” when the subject of a penalty is not commercial in nature, and when the ICO will take into account the parent group’s turnover where the relevant data controller is a subsidiary. The nine steps also include an assessment of the economic impact of a potential enforcement action on the data controller. Interestingly, the 2021 draft guidance omits the step in the current guidance that adds an amount to the penalty calculation purely as a deterrent to others (however, dissuasiveness is still considered in the calculation of a penalty).

The 2021 draft guidance outlines that the ICO will convene a panel to decide whether the proposed fine is effective, proportionate and dissuasive, in cases where there is a fine in excess of £5m or in circumstances where the ICO believes such measures are “likely to cause a very significant financial impact on the recipient’s business model”. It remains to be seen what evidence pertaining to likely financial impact would prompt the ICO to convene a panel, whether this results in penalty reductions or greater transparency and consistency across ‘big’ cases.

The revised draft guidance maintains the current position that the ICO do not propose to obtain or access legally privileged material (but clarifies that this applies regardless of whether such data relates to data protection legislation). The guidance sets out that the ICO can only accept a full and unconditional waiver, which will no doubt be an early test for data controllers in any investigation (and is perhaps less flexible than some other regulators).

The draft Statutory Guidance on PECR Powers essentially restates (in clearer terms and a more accessible format) the ICO’s guidance on monetary penalties (2015). The ICO have included a new section on officer penalties, clarifying its powers to pursue and fine the individuals behind nuisance marketing operations.

The ICO has said that it will review the updated draft RAP and Statutory Guidance “as and when appropriate to reflect any new legislative and regulatory reforms, in particular the outcome of the ‘Data: a New Direction’ reform proposals.” The consultation on the drafts closes on 24 March 2022, with final versions of the documents expected by the end of 2022, though the way many of the proposals draw on recent case experience suggests they will be relevant in practice before then.