We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

The UK ICO’s report on the impact of Monetary Penalties: a sign of more to come?

29 July 2014

The UK Information Commissioner's Office (ICO) recently commissioned research in to the impact of Civil Monetary Penalties (CMPs). 

The findings were published in a report last month.

In brief:

  • CMPs are "effective in achieving the overarching objective of improving data protection compliance".
  • After a CMP, organisations "took their data protection obligations seriously" and "revised practices and policies and increased staff training". Data protection was also given a "higher profile, with greater senior management buy-in".
  • The study confirmed that this positive impact was "extended to 'peer' organisations, where CMPs had a wider impact as a useful deterrent and an incentive to 'get it right the first time'. Many organisations reported that they had "changed their data protection practices and policies as a result of hearing about CMPs being issued to other organisations". 
  • The ICO's website was the most common source of information regarding CMPs that had been issued (57%); followed by 'word of mouth' (47%) and media reporting (45%).
  • The majority of respondents received bad press as a result of a CMP, with most reporting that the negative publicity was "short-lived". Almost 70% of those surveyed said that the ICO should do more to publicise CMPs it issues for breach of the Data Protection Act 1998.
  • Some respondents suggested ways the ICO could work with organisations to support them to comply with their data protection obligations post-CMP; the ICO said it could "explore whether there is scope to extend the ICO's assessment notice powers to oblige such organisations to undergo an audit".
  • It was suggested that the ICO could do more to publicise "success stories", resulting from the issuing of CMPs. The ICO agreed that this "would help demonstrate the value of CMPs more widely".

Overall the impact of CMPs on organisations' data protection compliance are overwhelmingly positive; having effect not only on the infringing organisations but also on other organisations that hear about the CMPs via the media or word of mouth.

The ICO's powers are set to increase under the proposed general data protection Regulation and also this September when the ICO will have the power to conduct non-consensual audits on public bodies.

Could this report, therefore, signal the beginning of significantly increased enforcement action by the regulator?

This article was written by Janine Regan.

For more information contact Janine on +44 (0)20 7427 6798 or janine.regan@crsblaw.com