At a glance
- The ICO upholds information rights in the public interest.
- The ICO aim to help you comply with the law and promote good practice by offering advice and guidance.
- The ICO can take action if you breach the eIDAS Regulation, including the power to impose fines of £1,000.
In brief
There are a number of tools available to the ICO for taking action to enforce eIDAS, set out in the UK eIDAS which are set out in the UK eIDAS Regulations and Data Protection Act 2018. They include non-criminal enforcement and audit. The ICO also has the power to serve a monetary penalty notice imposing a fine of £1,000.
The ICO may take enforcement action during the course of its supervisory responsibilities in respect of qualified trust services or in instances where there is evidence that any trust service provider based in the UK has not complied with the regulations.
These powers are not mutually exclusive. The ICO will use them in combination where justified by the circumstances. The ICO can:
- conduct an audit to check you are complying with your obligations as a trust service provider, and make recommendations;
- serve an Enforcement Notice order if there has been a breach, requiring an organisation to take specified steps to comply with the law;
- issue a Monetary Penalty Notice requiring you to pay £1,000;
- prosecute you if you fail to comply with an Enforcement Notice (except in Scotland, where the Procurator Fiscal brings prosecutions); and
- report to Parliament on issues of concern.
If you fail to comply with an ICO Enforcement Notice, an Assessment Notice (for a compulsory audit) or an Information Notice (requiring you to provide the ICO with information for our investigation) – the ICO also has the power to impose more substantial fines of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
For more information, see the ICO’s regulatory action policy.