ICO opens consultation on its regulatory role

ICO opens consultation on its regulatory role

January 13th, 2022 Posted in Compliance, Data Protection

On the 20th December, the Information Commissioner’s Office (“ICO”) requested feedback from the general public on three documents: the Regulatory Action Policy (“RAP”), Statutory Guidance on Regulatory Action and Statutory Guidance on Privacy and Electronic Communications Regulations (“PECR”) Powers. Combined, these documents describe how the ICO aims to uphold information rights for the UK public in the digital age. 

This request offers organisations and members of the public the opportunity to share their opinion on how the ICO regulates, monitors and enforces data protection law. Through the consultation, the ICO aims to improve its regulatory approach.  

Notably, the call for feedback swiftly follows the publication of the Government’s proposals for a new data regulation regime. You can read our latest blog on this here: UK Government’s DCMS Consultation: Data, a new direction. This features high-level recommendations for the future role of the ICO, such as expectations for it to work within the strategic priorities set out by the Department for Digital, Culture, Media and Sport and under the leadership of an independent board and chief executive officer.  

Background on the ICO’s invitation for comments

The ICO initially published the RAP in September 2018, following the implementation of the General Data Protection Regulation (“GDPR“) and Data Protection Act (“DPA“), whilst the UK was still part of the European Union. At first, the RAP was a single document with statutory guidance included. This document explained how the ICO promoted best practices, enforced compliance and its relationship with other regulators.  

A year later, after a review, the ICO separated the statutory guidance from the RAP, creating two documents: the RAP and statutory guidance on the ICO’s regulatory action (pursuant to its obligations under s160 DPA 2018). 

In the newest iteration, the ICO proposes breaking down the RAP once more to feature a new piece of guidance called the statutory guidance on the ICO’s PECR powers (pursuant to its obligations under s55C DPA 1998). This guidance will replace the preceding statutory guidance: ‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the DPA 1998’. 

The new ICO documentation: how it regulates the laws it monitors and enforces

These three documents aim to inform both people and organisations (who collect, use, store and share data) about the ICO’s duties to promote compliance and monitor and enforce UK data protection legislation.  

Here is an overview of each of the proposed document updates: 

  • The RAP: This sets out the ICO’s general regulatory approach, including best practices. It focuses on all 11 pieces of legislation that the ICO is responsible for, such as the UK GDPR, Data Protection Act 2018, Freedom of Information Act and the PECR, which cover nuisance calls, texts and emails. In line with this, the RAP explains the ICO’s approach to enforcement, including factors it will consider prior to taking regulatory action.  
  • Statutory Guidance on Regulatory Action: This covers the sections of the DPA 2018 that focus on the ICO’s legal obligations to draft and distribute guidance and best practices that assist organisations in complying with data protection law. It also provides further information about the ICO’s rights and powers to investigate and enforce UK information rights legislation.   
  • Statutory Guidance on PECR Power: This new document details how the ICO uses its statutory powers to implement data protection legislation surrounding electronic communications – things like nuisance calls, emails and text. The guidance centres on the ICO’s capabilities to issue monetary penalty notices to individuals or organisations for failing to comply with PECR.  

Next steps

If you are interested in submitting feedback, you can do so through the ICO’s online survey or by emailing RAPenquiries@ico.org.uk. Please note that the consultation will close at 5:00 pm on 24th March 2022. 

As evalian’s Senior Data Protection Consultant Sandra May, notes: “In this digital world, where we are all at risk of our personal data being misused, it is vital that we have confidence in the ICO to uphold our information rights in a fair and proportionate way. Whether or not you are satisfied with the ICO’s present approach and whether you are a member of the public or a company representative, responding to the ICO’s consultation is an ideal way to provide your feedback and help shape the way in which the ICO will investigate, regulate and enforce data protection law in the future.” 

It is worth noting that, at this time, the Government is considering more comprehensive reforms to the UK data protection regime. However, as the ICO notes in its call for a consultation, the body will continue reviewing and updating its policies as it deems necessary.  

Publication of the final documents is expected towards the end of 2022. The Statutory Guidance documents will also need to be ratified by the Secretary of State for Digital, Culture, Media and Sport prior to being laid to Parliament. 


Technology photo created by rawpixel.com – www.freepik.com – edited by evalian
Sandra May

Written by Sandra May

Sandra is an experienced senior data protection consultant and is a designated DPO for Evalian™ clients. Sandra spent much of her career as a litigation lawyer and over the last ten years has been focusing on specialising in data protection. Sandra's qualifications include BCS Practitioner Certificate in Data Protection, ISEB Certificate in Data Protection, as well as being a FCILEx (Fellow of the Chartered Institute of Legal Executives).