The Information Commissioner's Office (ICO) consulted on a new regulatory action plan earlier this year. At the time, it said it would seek to "encourage and reward compliance" in the way it applies its regulatory powers.
The consultation exercised attracted 80 responses, which the ICO has summarised. The watchdog has now updated its draft plan which is now subject to parliamentary approval.
The regulatory action plan would apply to the ICO's activities under a range of legislation, including the General Data Protection Regulation (GDPR), the UK's new Data Protection Act, Privacy and Electronic Communications (e-Privacy) Regulations and Freedom of Information Act.
"This policy sets out a risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of the data protection, freedom of information and other legislation," the ICO said in its revised action plan. "As with earlier versions of the policy it focusses on areas of highest risk and most harm and the principles we apply in exercising our powers."
"The ICO’s approach is designed to help create an environment within which, on the one hand, data subjects are protected, while ensuring that, on the other hand, business is able to operate and innovate efficiently in the digital age. We will be as robust as we need to be in upholding the law, whilst ensuring that commercial enterprise is not constrained by red tape, or concern that sanctions will be used disproportionately. We will work with others where it makes sense to do so, and where joint application of activity can achieve the best result and protection," it said.
The range of measures available to the ICO, according to its action plan, include "observation, intelligence gathering and monitoring", auditing, investigation and issuing of fines or other sanctions.
The policy explains how the ICO intends to calculate the level of penalty to apply when businesses experience a data security breach, and when businesses can expect the fine to be high.
"Generally, the amount will be higher where: vulnerable individuals or critical national infrastructure are affected; there has been deliberate action for financial or personal gain; advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon; there has been a high degree of intrusion into the privacy of a data subject; there has been a failure to cooperate with an ICO investigation or enforcement notice; and there is a pattern of poor regulatory history by the target of the investigation," the ICO said.