The world of data protection enforcement is like a rollercoaster, but without the screaming, wind-in-your-hair or [vomit] vibes.

Confused? Well, consider this: they are both comparatively fast-paced and hard to predict. There are many twists and turns, many peaks and troughs, and quite a lot of surprises, jolts and bumps. Data protection enforcement by the ICO has really changed in the past 5 years as a change in Commissioner (a bit like a change of football managers) brought about new tactics and a shifting focus. Many have said the ICO has regressed significantly in that time to a minor regulator; others have said it has become refreshingly pro-business and is clear about what it stands for. Add all of this into the real-world mix of dramatic geo-political changes, economic uncertainty, relentless development of tech and data sharing and the unstoppable march of AI, and hopefully the rollercoaster metaphor starts to make sense.

At the centre of this peculiar rollercoaster is a simple, but quite long, policy explaining how the rules of enforcement work. Formerly called the Regulatory Action Protocol (“RAP”), the policy explains how the ICO decides to start investigations, what factors it takes into account, what its enforcement powers are and how it goes about deciding to punish organisations or individuals in breach of the law. We assembled a veritable group of experts to help consult on this new draft policy, which is being renamed the Data Protection Enforcement Guidelines (perhaps the new ICO doesn’t like to RAP 😊) Our focus as a group was quite straightforward, much like the policy. We wanted to make sure that it is as simple as possible, easy to use and clear. We have set out in this document our response to the ICO in the expectation that our work will help improve an already well drafted and well thought-through policy. Perhaps the biggest takeaway from most of those involved in the process was this simple yet profound reflection from 1 of the group: “the ICO has way more power than I thought, and barely seems to use any of it”. Food for thought.

Thank you once again to the amazing contributors who surrendered their time to join in, debate and discuss all of the areas of regulatory enforcement thrown up by this exercise. We left few stones unturned. Your input challenged the status quo, helped to expand the horizons of everyone involved and gave rise to enjoyable, productive and sometimes fiery debate. I am – as always – very proud of your work and contribution and I hope you are too. Well done for taking part in an exercise that will help to shape the framework of enforcement, probably for the next 10 years.

Yours

Matthew Holman