Security News > 2021 > December > UK watchdog's punishment for Blackbaud, Easyjet, other big privacy lawbreakers was slap on the wrist in private

The astonishingly mild sanction was revealed in a Freedom-of-Information response after senior data protection specialist Jon Baines at London law firm Mishcon de Reya asked about reprimands made under the General Data Protection Regulation.

Reprimands are a formal expression of the ICO's disapproval, issued to organisations that have broken data protection law.

An ICO spokeswoman told The Register: "The ICO's aim is to protect people from poor organisational practices that put their personal information at risk. We have a range of powers to help us do that, including issuing reprimands and warnings to ensure the right policies and practices are in place. If we find that organisations have not made changes as set out in reprimands, or if any further incidents or complaints are reported to us, we can consider further regulatory action."

Reprimands are issued under article 58(2)(b) of UK GDPR, or alternatively under clause 2(b) of Schedule 13 of the Data Protection Act 2018, itself a creation of the GDPR. They are handed down where the ICO believes a data processor has broken the law.

Strangely, reprimands are not made public by the ICO even though it publicizes fines it issues.

Mishcon de Reya's Baines pointed The Register to the ICO's enforcement communications policy [PDF], which says about reprimands: "We will publicise these if it will help promote good practice or deter non-compliance."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/01/ico_reprimands_large_organisations/