Consultant Abigail Healey examines the ICO’s approach to GDPR reprimands in Compliance Week

March 10, 2023

Consultant Abigail Healey comments on the ICO’s approach to GDPR enforcement and transparency, and questions its role as a deterrent.

Abigail’s comments were published in Compliance Week, 8 March 2023, and can be read here.

As with most developments, there are positive and negative aspects and whether it ultimately helps or hinders only time will tell. Until recently, reprimands were hardly used by the ICO and were largely confidential in nature. Reprimands that were published were done so on an ad hoc basis, which has led to uncertainty and no doubt some may feel, unfairness.

The development is unlikely to have a chilling effect on communications with the regulator in the context of more serious breaches. If anything, it should encourage organisations to ensure accuracy in all communications with the regulator, given the need to educate the ICO as to the issue but also to ensure that it is presented in a way which is accurate yet puts the organisation in the best possible light. It may lead to more upfront time and costs being incurred in providing more detailed information in circumstances where there has likely been a breach but it would unlikely be serious enough to warrant enforcement action.

One can see that organisations may be less inclined to self-report in circumstances where it is borderline as to whether self-reporting is necessary. The view that previously may have been “if in doubt, self-report”, may change to organisations grappling with whether it really is strictly necessary. This will also likely lead to more time and costs being incurred obtaining specialist advice. It doesn’t necessarily follow, though, that less self-reporting is a bad thing. The regulator is already stretched, and if it has the effect of weeding out more trivial issues, that may not be unhelpful from the regulator’s perspective (though more of a headache for the compliance team).

A published reprimand is certainly likely to have far more serious consequences for an organisation and so in that respect, may act as deterrence and it could therefore be said, aid compliance. A published reprimand will likely have a reputational impact. It will also likely lead to a greater likelihood of compensation claims being brought by affected data subjects. While a court would not be bound by the determination of the ICO, a written communication from the regulator indicating that there has been a breach is likely to be persuasive.

Query, though, whether the publication of the reprimands will have the desired effect of helping GDPR compliance as the ICO intends. The reasoning of the ICO is that reprimands have a deterrence effect by bringing wrongdoing to light to discourage others from making the same mistakes. Yet many breaches are fact specific – be that to the organisation, individuals involved, technology and organisation processes, etc. Unless third parties are going to delve into the detail, it is difficult to see how lessons can be learned at first blush. It would be far better, if there are trends or developments which need bringing to the attention of others, that the ICO issue general guidance.

It is likely that it will increase the workload of an already stretched regulator who should (one would hope) take great care in its communication if it is to be published to the world at large. That is all the more so given one can see that those organisations with deeper pockets will in future trawl through the published reprimands as a means of distinguishing those situations from their own.

There is no process in the GDPR or DPA 2018 governing how the ICO issues a reprimand.

For more serious enforcement action, the ICO must give formal, prior notice to that organisation and allow them to make representations before action is taken.

That has not, to date, happened with reprimands (and see comments above re likely effect being that organisations will have to front load their efforts with the regulator going forward). It is entirely unsatisfactory for an organisation to be served with a reprimand which is published without prior warning, the right to make representations and without an effective route to challenge the outcome. If the ICO makes a mistake, any rectification will be too late for the organisation: the damage will have been done.

There would have to be greater clarity as to the process and an opportunity for the organisation to make representations, for the process to be fair. Additional guidance would also be welcome as to the circumstances – or parameters – of when a reprimand may be appropriate. Previously, an organisation may have been in the realms of a neutral fact finding investigation by the ICO to then receiving a reprimand. Greater clarity is needed.

Despite reprimands being part of the GDPR (Art 58(2)(b)), each European country and authority adopts a different approach – and that goes for the level of information in the public domain about enforcement generally, not just reprimands. Many supervising authorities take the approach of only making public the most serious breaches and fines levied.