What Is The ICO Responsible For?

Alex Franch
July 15, 2023

Table of Contents

What is the Information commissioner's office?

The ICO is the UK’s independent authority responsible for upholding the information rights in public interests and data privacy of individuals. To elaborate, the major aim of the ICO is to ensure that the rights of individuals over their own data is duly respected and protected. It further promotes transparency in the functioning of an organisation with regard to personal data. It ensures that businesses involved in the processing of the data should respect the rights of the individuals. As an independent regulator, it oversees the different aspects of data protection like providing a forum to register complaints about any privacy concerns, facilitating registration of controllers, providing guidance on data protection and use of technology as well as taking action against those who violate the rights of data subjects or individuals.

Responsibilities of the ICO

The ICO is responsible for:

Promoting good practice in handling personal data and giving advice and guidance on data protection.

Ensure data controllers pay the appropriate data protection fee and provide and update basic information about their firm.

Helping to resolve disputes by deciding whether it is likely or unlikely that an organisation has complied with the GDPR when processing personal data.

Taking action to enforce compliance with GDPR, where appropriate.

Bringing prosecutions for offences committed under GDPR (except in Scotland, where the Procurator Fiscal brings prosecutions).

International Responsibilities

Apart from carrying out duties in the UK, one of the major responsibilities of the ICO is to cooperate with the International data protection authorities including the European Commission. The cooperation involves:

Investigation of complaints

Sharing Information

Working alongside partners to improve understanding of data protection laws and provide guidance where necessary

The ICO cooperates across all areas including justice and judicial cooperation, freedom, security and policing in the EU. The ICO is part of the Article 29 Working Party, which represents each of the 28 EU data protection authorities, as well as Iceland, Liechtenstein and Norway.

What legislation does the ICO enforce?

The Information Commissioner oversees the enforcement of 11 separate pieces of legislation, including GDPR. The ICO can be consulted when it comes to enforcing the PECR and Data Protection Act 2018 alongside GDPR.

What powers does the ICO have?

The ICO can enforce a wide range of actions right from issuing financial penalties to conducting spot-checks of regulatory compliance, issuing urgent information notices and warnings. It has the power to launch prosecution and apply for court orders enforcing compliance with a previously issues information notice.

A wide range of factors is taken into consideration while determining the measure to take. The ICO takes a selective and highly flexible approach while regulating an organisation. Generally, the actions are decided on a case by case basis. The quantum of harsh penalties highly depends upon the willingness of an organisation to cooperate along with the previous compliance efforts. To elaborate, conducting data protection impact assessment on regular basis, steps taken to mitigate any harm like data breach etc. Several aggravating and mitigating factors are also taken into account.

How does the ICO enforce GDPR?

Imposing monetary penalty is the most prominent way to enforce GDPR. ICO will take a reasonable and reserved approach to enforce GDPR, and will only issue the maximum fines if entirely necessary to dissuade negligence or future non-compliance. The Information Commissioner has the power to issue monetary penalties for any infringement. Under the Data Protection Act there are two tiers of penalty for an infringement:-1. Higher Maximum:-  The higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Standard Maximum:- The standard maximum is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Have you received a letter from the ICO about paying a data protection fee?

In case you have received a letter from ICO for payment of data protection fee, the first thing you do is Relax! The ICO has been writing since the introduction of GDPR  to companies it believes are liable for the annual fee and are not on their public register of fee payers.

To ensure that the communication you’ve received a letter, text message, email or telephone call from us is not a scam relating to the payment of the data protection fee you can check its authenticity by searching ‘ICO fee’ using your usual search engine. Follow the top results to website links which begin with https://ico.org.uk, and this will bring you to our official website. To assess whether you need to pay or not click here.


This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

Alex Franch is the co-founder and CEO of Privasee. With a background in computer science and cybersecurity, it is no surprise that he is a highly analytical problem solver; now putting these skills to use within the data privacy space. Alex is passionate about GDPR, and productivity and spends a lot of time doing sports as he values the importance of having a work-life balance. He is excited to help businesses generate documentation, and become and maintain GDPR compliance through the Privasee platform.

Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.