The ICO publishes details of enforcement action that they have taken, as well as periodic commentary on the lessons to be learned. These enforcement actions include prosecutions, monetary penalties, enforcement notices and as of earlier this year, reprimands. These decisions are published on the ICO's website and the reprimanded organisation is named.
The power of the ICO to issue reprimands is tucked away at Article 58(2)(b) of the UK GDPR. This corrective power takes the forms of a written statement from the ICO confirming that it considers that the organisation concerned has infringed provisions of the UK GDPR. The decision is published in full and sets out the reasons for the decision as well as making recommendations as to actions that the organisation should take and any aggravating or mitigating factors. The organisation may then be required to report back to the ICO within a certain timeframe to confirm the steps it has taken in order to correct the non-compliance.
From our review of the most recent decisions, it is clear that the ICO will issue reprimands to organisations of all shapes and sizes from local councils, private companies of all sizes and other public bodies such as police forces. These decisions show a particular concern with the measures taken by organisations to secure their data and the response to cyber incidents when they take place.
In accordance with Article 5(1)(f) provides that personal data shall be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisation measures." This is the "integrity and confidentiality" principle. Article 32(1)(b) also states “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
The recent decisions show that the ICO are willing to issue reprimands where they have not been satisfied with the technological and security measures taken by organisations of all sizes. The infringements referred to in recent reprimand decisions include:
- No clear "Bring Your Own Device" policy.
- Inadequate account lock-out policies.
- A failure to have multi-factor authentication in place, particularly on Remote Desktop solutions.
- A failure to have a suitable contract with an external IT provider that defined adequately security responsibilities or the level of security required.
The ICO also takes into account the nature of the organisations' business and where, for example, it includes financial transactions, additional security measures such as MFA or formal accreditations (such the NCSC's Cyber Essentials) are expected.
For data controllers, the publication of reprimands increase the potential for negative publicity as well as the risk of reputational damage in the event that the ICO take the view that the security measures in place prior to the incident and/or that the organisation's response to the incident were not adequate. However, it is clear that the ICO's intention behind their decision to publish not only enforcement action, but reprimands, is that all organisations may learn from the mistakes of others, encourage behaviour change and avoid any such infringements. As such, the reasoning and recommended actions set out in the ICO's decisions will provide useful information for data and security teams keen to avoid getting on the wrong side of the regulator.
