Before now, the ICO has published enforcement notices, fines, and summaries of audit reports on their website. However, in December 2022 they announced that they would also begin routinely publishing ‘reprimands’ unless there was a good reason to refrain from doing so.
What are reprimands?
A reprimand is a written letter stating that the ICO believes an organisation has failed to meet its obligations under the GDPR. It is usually accompanied by a list of reasons for the decision and recommended steps that an organisation should take.
Stephen Eckersley, ICO Director of Investigations said:
While fines may grab people’s attention, every one of these reprimands represents a time we have taken action to raise data protection standards. The time we helped a local council improve its cyber security, or when we warned a telecommunications company to improve its responses to the public when asked for personal information held about them, or the time we protected people’s data by ordering the police to improve how they handle victims’ personal information.
Ultimately, we want to be transparent with the public when we hold a business or organisation to account and what they need to do to improve their practices.
The ICO have made this move to not only bolster their enforcement toolkit but to also help the wider economy learn from published reprimands. With greater access to read about where an organisation has failed to comply with data protection laws, they hope it will help others understand what exactly went wrong and what they need to do should they happen to be in a comparable situation themselves.
Becky White, Senior Data Protection & Privacy Solicitor comments:
Organisations should be aware that the action of the ICO publishing a formal statement that the GDPR has been infringed could result in reputational damage which can be just as costly, if not more so, than a fine. This may also create a foundation for aggrieved data subjects to bring compensation claims in Court.
If you would like to achieve compliance with UK GDPR and data protection laws with a clear action plan, training and support, take a look at our newly launched Data Protection Health Check service. Or contact one of our expert Data Protection Solicitors ready and waiting to support your business.