More than a slap on the wrist? The ICO’s new policy on publishing reprimands 

More than a slap on the wrist? The ICO’s new policy on publishing reprimands 

Before now, the ICO has published enforcement notices, fines, and summaries of audit reports on their website. However, in December 2022 they announced that they would also begin routinely publishing ‘reprimands’ unless there was a good reason to refrain from doing so.

What are reprimands?

A reprimand is a written letter stating that the ICO believes an organisation has failed to meet its obligations under the GDPR. It is usually accompanied by a list of reasons for the decision and recommended steps that an organisation should take.

Stephen Eckersley, ICO Director of Investigations said:

While fines may grab people’s attention, every one of these reprimands represents a time we have taken action to raise data protection standards. The time we helped a local council improve its cyber security, or when we warned a telecommunications company to improve its responses to the public when asked for personal information held about them, or the time we protected people’s data by ordering the police to improve how they handle victims’ personal information.

Ultimately, we want to be transparent with the public when we hold a business or organisation to account and what they need to do to improve their practices.

The ICO have made this move to not only bolster their enforcement toolkit but to also help the wider economy learn from published reprimands. With greater access to read about where an organisation has failed to comply with data protection laws, they hope it will help others understand what exactly went wrong and what they need to do should they happen to be in a comparable situation themselves.

Becky White, Senior Data Protection & Privacy Solicitor comments:

Organisations should be aware that the action of the ICO publishing a formal statement that the GDPR has been infringed could result in reputational damage which can be just as costly, if not more so, than a fine.  This may also create a foundation for aggrieved data subjects to bring compensation claims in Court.

If you would like to achieve compliance with UK GDPR and data protection laws with a clear action plan, training and support, take a look at our newly launched Data Protection Health Check service. Or contact one of our expert Data Protection Solicitors ready and waiting to support your business.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry