The ICO’s 2018 Hit List… so far

Wednesday 18th July 2018

During the first six months of 2018 the Information Commissioner’s Office (ICO) has concluded 11 prosecutions, issued 23 monetary penalties and 12 enforcement notices for a range of non-compliances and failures by companies of all sizes.

Half of the enforcement notices were for failures to respond to a Subject Access Request. With the GDPR strengthening the rights of individuals, this highlights the importance of businesses being able to respond promptly and correctly to any requests. However, businesses only need to take the steps which are required to comply with the law. The GDPR does not give carte blanche to individuals exercising their rights and to protect your business you need to be aware of the limits on your obligations. This can be a tricky balancing act.

The monetary penalties, between £1,000 and £400,000, were for a variety of reasons but the majority were because of a failure by companies to comply with specific electronic marketing rules.

The Privacy and Electronic Communications Regulation (PECR) sits alongside the Data Protection Act 2018 and the GDPR. PECR imposes more stringent obligations on businesses who send electronic marketing to individuals. PECR is due to be replaced with a new Privacy and Electronic Communications Regulation.

As for the concluded prosecutions, the ICO secured convictions against 11 individuals and companies. In one case, a company and its director were successfully prosecuted for failing to respond to an Information Notice. At Bolton Magistrates Court, both the company and director were fined for this failure.

In another case, a director was prosecuted as his company was processing personal data electronically without a valid entry on the Data Protection Register. The ICO was satisfied that the company had committed the offence with the consent, connivance or neglect of the director, so he was personally charged with an offence.

This is a stark reminder to company directors that they are exposed to personal criminal liability for any failures by their companies to comply with data protection legislation.

For further information visit our Regulatory & Compliance page.