ICO Funding Update

Oliver Rear shares his thoughts on the ICO's fine income retention agreement.

Oliver R Banner

Will the Paper Tiger get some real teeth?

If you are a Privacy Professional or Practitioner you will have no doubt spent the last week or so ruminating on the UK government’s response to the public consultation on the upcoming Data Reform Bill.

We certainly have at DPP, we even spoke about it at length on our latest episode of the Data Protection Made Easy Podcast which you can catch up on here: Data Protection Made Easy Podcast.

But in and amongst this was a slightly less flashy announcement relating to the ICO’s funding which may have flown under the radar of some.

The update in question is that going forwards the ICO will now be able to retain a certain amount of the funds which they recover through enforcement action to further their activities.

This announcement comes at an interesting time considering that the independence, structure and governance model of the ICO is a key aspect of the Data Reform Bill consultation.

So this begs the question, what does this funding agreement mean for our regulator?

The first step here is to understand the ICO’s current funding model. While this could constitute a significant piece in and of itself and many will have a better

understanding than I do, the core premise is that the ICO is funded through the data protection fee and government grants.


Taken directly from the ICO’s website:

“Data protection fees
From 1 April 2019 to 31 March 2020, the ICO projects that it will collect roughly £46,560,000 through the data protection fee. In 2018/19, the ICO collected £39,256,000 million in fee income.

The ICO’s regulation of other legislation is funded by grant-in-aid. The ICO is projected to receive £4,626,000 total grant-in-aid from April 2019 to March 2020, compared to £4,300,000 in 2018/19.”

So essentially the majority of the ICO’s funding is determined by statute (Namely the Data Protection (Charges and Information) Regulations 2018).

The benefit of this is that it provides a clear and enforceable framework for the ICO, however, this does mean that the charges are fixed and more difficult for the ICO to alter should this need to be changed to keep up with the changing landscape of business and data protection in the UK.

While the exact nature of the funding agreement does not seem to have been disclosed yet it seems to us that it can only be positive for the ICO to have another funding stream. Especially one which appears to be both more flexible than the existing statutory power and more independent than the existing government grants.

It is important to note at this juncture that not all of the funds recovered will be available to the ICO.

As it stands, the amount which the ICO can retain is capped at £7.5M.

However, this is significant as the ICO has not recovered this amount in fines in a single year since 2018. This might seems surprising considering the headlines down the years of fines totalling tens of millions of pounds handed out to the likes of BA and Marriott, but the truth is that a lot of these fines have been reduced on appeal or have had payment plans agreed which have limited information.

We can be certain that since 2018 the ICO has recovered £7,399,000 in fully paid fines averaging £1,479,800 a year. For context, these figures are derived from information published by the ICO which you can consult here: https://ico.org.uk/action-weve-taken/the-icos-work-to-recover-fines/

So, at the time of writing the ICO has possibly not even recovered a full £7.5M since 2018, let alone recovered this in a single year.

Considering the discrepancy between the amounts recovered and some of the attention-grabbing headlines we mentioned earlier it seems like a given that more funding being invested in the ICOs litigation resources (as they suggest in the announcement of this agreement) can only be a positive move. Further, an additional £7.5M a year in funding would potentially represent a roughly 17% increase in funding over the year.

This will also surely be beneficial in promoting and maintaining the independence of the ICO by guaranteeing a more flexible income stream free from the statute. On the other hand, this agreement may not be as dependable as existing arrangements so we will have to await the exact nature of the agreement to be published but overall this feels like a step in the right direction.

The other question which might be prompted in response to this is whether it provides the right kind of incentive to our regulator. Might they be encouraged to start handing out fines more aggressively, or simply start handing out bigger fines in the interest of their funding goals rather than actually trying to further their strategic objectives and guarantee the rights of individuals?

This seems like a stretch to me. There are defined processes in place for the ICO’s strategic goals and fine structures as well as clear messaging from our new Commissioner about supporting the rights of individuals, therefore it seems unlikely that this new avenue for funding would suddenly cause a 180-degree turn in this respect.

Regardless of this the question ultimately seems redundant to me, more enforcement can only be beneficial irrespective of the intention. Fines may not be the best driver for compliance but there are still far too many organisations who disregard GDPR compliance, let alone those content with a tick-box approach. So, from my perspective this can only be a good thing, to have a regulator more empowered to bring organisations to account.

Some may disagree with me on this (and if you do come along to our next GDPR Radio to pull me up on it) but many have been banding around the paper tiger of ICO fines for a while now, so it surely can’t hurt for it to gain some more tangible teeth?

If this news has got you worried about the compliance of your organisation you probably needn’t panic, but you can still get in touch with DPP to discuss the options available to you on 0113 869 1290.

Written by Oliver Rear, House Consultant, Data Protection People.