The Information Commissioner’s Office (ICO) has published a report on reprimands issued in the second quarter of the year, from April to June 2023. The recent reprimands by ICO shed light on areas of data protection where organizations across the public and private sectors have fallen foul of the UK GDPR and are instructive as to how organisations can improve their practices. Our blog focuses on three key lessons gleaned from these reprimands.

Background

When enforcing the UK GDPR, the ICO can issue various corrective measures. A reprimand is a written notice that serves as confirmation of an organization’s failure to comply. Reprimands are typically issued for minor violations that do not require additional measures. The ICO can follow-up with the organisations issued with a reprimand to understand corrective measures were undertaken by the organisation that received the reprimand, and, where deemed appropriate, the ICO can take further enforcement actions. Now that reprimands are part of the public record, they can also impact on an organisation’s reputation.

During the second quarter of 2023, the ICO undertook several types of enforcement action, having issued a total of nine reprimands, seven monetary penalties, six enforcement notices and one prosecution. Reprimands were issued most often and given that they contain reasons for this issuance, it’s easy to see how they can serve a dual purpose—one of enforcement and another as guidance to other organisations.

Key takeaways from

  1. Policies and Staff Training for Personal Information Handling
    Several organizations were reprimanded for inappropriate disclosure of personal information. These incidents were largely a result of inadequate processes, policies, and insufficient staff training. To prevent similar occurrences, the ICO recommends that organizations should take the following steps:
    • a. Review and update data protection policies, procedures, and guidance, emphasizing the detection and reporting of personal data breaches.
    • b. Provide comprehensive training to staff responsible for redactions and disclosures, ensuring they understand the importance of safeguarding personal information.
    • c. Implement technical and organizational measures to enhance the security and confidentiality of internal emails containing personal information, especially sensitive or special category data.
  2. Timely Response to Data Subject Access Requests (DSARs)
    There were also reprimands for failing to respond to DSARs within the statutory timeframe. The ICO suggests that organisations:
    • a. Familiarize themselves with the statutory requirements for responding to DSARs and ensure compliance.
    • b. Develop streamlined processes to promptly handle DSARs, adhering to the one-month response time, or up to two months for complex requests.
    • c. Proactively prepare for DSARs by following guidance provided by regulatory bodies and staying updated on best practices.
  3. Implementing a Data Protection by Design and Default Approach
    During the second quarter, ICO reprimanded some organisations for introducing apps that unlawfully captured personal information. This emphasizes the significance of incorporating data protection principles during the development and deployment of apps, products, or services involving personal data. Earlier this year, ICO released comprehensive guidance on “Privacy in the product design lifecycle” which covers the below suggestions more extensively:
    • a. Adopt a data protection by design and default approach from the early stages of app development.
    • b. Ensure that data processing methods and means comply with data protection laws prior to deploying the app.
    • c. Issue comprehensive data protection guidance to staff regarding app usage and require confirmation of understanding and compliance.

Conclusion

The ICO’s most recent reprimand of the 25th of July, contained another salient lesson—that organisations must implement appropriate organisational and technical security measures. The reprimands issued in the past three months as well as this latest one provide valuable lessons for organizations on ensuring UK GDPR compliance.