On 6 December 2022, the UK Information Commissioner’s Office (ICO) announced that it would publish details of all future reprimands, including those issued from January 2022 onwards, ‘unless there is a good reason not to’. This is part of the ICO’s new strategic approach to regulatory action. The ICO hopes that this will drive behavioural change around UK General Data Protection Regulation (GDPR) compliance and, in parallel, provide organisations and individuals with more certainty about their legal requirements and rights.
What’s a reprimand?
Sitting amongst warnings, fines, enforcement notices and bans on processing, a reprimand is one of the corrective measures the ICO may impose on an organisation when taking enforcement action under Article 58(2) of the UK GDPR. It is a written notice stating that the ICO has concluded that an organisation has not complied with the UK GDPR. A reprimand usually is issued when the ICO believes that there has been an infringement of the UK GDPR, but the infringement is not serious enough to warrant a fine or enforcement notice.
What’s new and what has been published?
Historically, the ICO has published enforcement notices, fines and summaries of audit reports on its website. However, for the most part, it has kept reprimands confidential.
Since the ICO’s change in policy, most of the reprimands have been issued against public sector organisations, but private companies also have been reprimanded.
The contents of a reprimand can be detailed and extensive. For organisations that are issued with a reprimand, this means that some, if not all, of the following information will be made publicly available:
- The name of the organisation subject to the reprimand.
- The reason for the investigation (e.g., inappropriate disclosure to an unwanted party, processing of sensitive personal data or subject access request compliance).
- What the ICO took into consideration in its assessment, including a summary of the issues and any mitigating factors and/or actions already taken by the organisation.
- Details of the reprimand, including any risks and breaches identified by the ICO.
- Further actions recommended by the ICO (e.g., updating documents and processes to improve compliance with UK GDPR).
- Deadlines for achieving the recommended actions.
What is ICO’s intention?
We’ve outlined below several factors contributing to the ICO’s decision to publish reprimands.
The ICO wants to be transparent in how it holds businesses to account and what action it is taking to raise data protection standards in order to drive behavioural change.
Clarity, certainty and predictability
The ICO believes that the reprimands will provide further guidance to organisations on how it applies the law and what it expects from them.
Drawing on the increased certainty point, the ICO hopes that organisations will have a better understanding of the ICO’s parameters and, as a result, can be more flexible in their approach to compliance with the UK GDPR.
What does this mean for the future?
With its change in policy, the ICO may increase its use of reprimands against public and private organisations, which could affect an organisation’s reputation. On the other hand, the publication of reprimands will clarify what the ICO expects of organisations in respect to their data protection obligations. This information can be used to develop and implement innovative, risk-based and proportionate compliance programmes which safeguard against potential legal and reputational threats well into the future.