Insights Information Commissioner’s Office consults on how it uses its powers to investigate, regulate and enforce


The ICO has launched a consultation to gather the views of stakeholders and the public on how it regulates the laws it monitors and enforces.

The ICO’s Regulatory Action Policy (RAP) updates the ICO’s 2018 policy and sets out the regulator’s general approach. It reinforces the ICO’s commitment to a proportionate and risk-based approach to enforcement, and it explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.

It also sets out how the ICO promotes best practice and ensures compliance and how it works with other regulators.

The RAP covers all 11 pieces of legislation that the ICO is responsible for including the UK GDPR, Data Protection Act 2018, Freedom of Information Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which cover nuisance calls, texts and emails.

Statutory Guidance on the ICO’s Regulatory Action focusses on the sections in the 2018 Act that specify the ICO’s legal obligations to publish guidance to help organisations navigate the law. It also explains how the ICO uses its statutory powers to investigate and enforce UK information rights legislation.

Statutory Guidance on the ICO’s PECR Powers explains how the ICO uses its statutory powers to enforce the data protection legislation relating to electronic communications such as nuisance calls, emails and texts. The guidance focusses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law.

Taken together, these three documents set out how the ICO aims to carry out its mission to uphold information rights for the UK public in the digital age.

The ICO is inviting comments about how it exercises its regulatory responsibilities and statutory powers from individuals and organisations. The consultation closes on 24 March 2022. To read the ICO’s press release in full and to access the consultation, click here.