Last review date: 20 January 2025
The Information Commissioner's Office ("ICO") is the data protection authority in the UK (https://ico.org.uk/).
Last review date: 20 January 2025
On 14 July 2022, the UK Information Commissioner launched the ICO three year plan, ICO25, which sets out how the ICO will prioritize its work and exercise its regulatory power over the next three years.
ICO25 includes an action plan for the ICO's focus areas , which include areas intended to empower people such as:
- reviewing the impact of "predatory marketing calls"
- reviewing the use of "algorithms within the benefits system"
- reviewing the impact the use of "AI in recruitment could be having on neurodiverse people or ethnic minorities, who weren't part of the testing for this software;" and
- "ongoing support of children's privacy," which involves continuing to enforce the ICO's Children's Code.
The ICO has also set out a new strategic approach to regulatory action, for example opting to use reprimands instead of fines on public sector organizations, with all reprimands now being published on the ICO’s website.
The ICO has also started to publish a list of data protection complaints from data subjects, a list of self-reported personal data breaches by data controllers and a list of incidents and investigations regarding cyber-attacks. These lists date back to Q4 2020, and previously were not published on the ICO’s website or publicly available.
As mentioned in ICO25, the processing of children’s personal data continues to be a focus area. Organizations have been required to comply with the ICO’s Age Appropriate Design Code since 2 September 2021. The Code applies to online services "likely" to be accessed or used by a child, which for these purposes is anyone under the age of 18.
In the ICO's 2022-2023 Annual Report (here), it reported on its progress in the first year of ICO25. In summary, the ICO has focused on "assisting victims of predatory marketing, helping keep children safe online and taking action to support victims of sexual assault" as well as "empowering businesses to use information to invest and innovate through guidance around issues such game design, emerging technologies and direct marketing."
Last review date: 20 January 2025
An increased focus on data protection compliance in the context of AI, particularly use of generative AI. A continued focus on data protection compliance in the context of children's personal data online, in light of the ICO's Age Appropriate Design Code. A new focus on website cookies compliance.
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 20 January 2025
There are:
☒ administrative remedies from regulators and law enforcement
These may amount to up to GBP 17,500,000 or 4% of the total worldwide annual turnover of the preceding financial year, whatever is higher.
☒ criminal penalties from regulators and law enforcement
The DPA 2018 contains various criminal offences including offences in relation to:
- unlawful obtaining of personal data (Section 170 DPA 2018)
- re-identification of de-identified personal data (Section 171 DPA 2018)
- alteration of personal data to prevent disclosure to the data subject (Section 173 DPA 2018)
- destroying or falsifying information and documents (Section 148 DPA 2018)
- false statements in response to Information Notices issued by the ICO (Section 144 DPA 2018)
- prohibition of requirement to produce relevant records (Section 184 DPA 2018)
☒ private remedies
Individuals may, for example,
- file complaints with the data protection authorities
- claim damages for material or non-material damages
☒ other
Individuals may sue individually for damages or other remedies, and class actions are also available.