The Information Commissioner’s Office will consult in January on a new policy document to lay out when it will act and when it will administer sanctions, the Information Commissioner Elizabeth Denham has said.
Speaking at the St John Ambulance headquarters in central London yesterday, Denham said the updated regulatory action plan would be laid before parliament in time for the introduction of the General Data Protection Regulation in May next year.
The GDPR, stringent new European data-protection rules, will give the ICO the power to fine organisations responsible for data-protection breaches, including charities, up to €20m (£17.9m) or 4 per cent of annual global turnover, whichever is largest.
The policy, Denham said, would show how the ICO would use the new tools and sanctions it had been granted.
"The regulatory action policy will explain to you how, when and in what circumstances the ICO will act," she said, adding that charities and other interested parties would have the chance to comment on the new document in January.
The ICO has fined 13 charities in the past 12 months for breaches of data-protection rules. Denham has previously said that she personally stepped in to reduce the fines by 90 per cent.
Yesterday she defended the decision to issue the fines, which totalled more than £180,000. She said she had hoped that the mere fact of the fines would serve as a warning to charities that practices needed to change, but she had chosen to reduce them to minimise the impact on donors.
She said: "It was a tough decision and there are many who criticised us from both sides, but it was a shot across the bow, something for the sector to look at and use to review its practices."
Denham said the task facing the data-protection community was "awe-inspiring and immense". She likened trying to improve data-protection compliance while preparing for GDPR and just as Brexit negotiations were taking place to "trying to change a tyre on a moving car, while it is going round a roundabout and has just burst into flames".
But she said the most pressing issue for the ICO was the retention and recruitment of staff. She said the data watchdog had lost about 30 per cent of its policy and technical staff as people took up lucrative jobs as data-protection officers at organisations that wanted to prepare for the GDPR.
Denham said she had called on the government to release the ICO from the 1 per cent public sector pay cap to enable it to attract more staff and focus on offering advice and support to organisations such as charities.
Attendees at the event asked what effect data-protection rules that require charities to notify people they have processed their data would have on organisations that wanted to research major donors before contacting them.
Emma Bate, general counsel at the ICO, agreed with Helena Wootten, a partner at the law firm Browne Jacobson, who said charities might be able to rely on the concept of legitimate interest for such processing, if they could prove it did not override the rights of the individuals and if it was something the potential donor might reasonably expect to happen.
Bate said charities would need to be transparent when they did make contact with potential donors and assess whether they were happy with such processing being carried out.