Where is the ICO?

I must confess a potential conflict of interest in that I am a director of a company which provides data protection advice (along with cyber security and other services), so this will probably come across as self-serving, however – I’m a data subject just as you are.

We find ourselves five months into the General Data Protection Regulation in Europe, in general, and the Data Protection Act (2018) in the UK, particular.

Has there been any instance in the UK of an organisation being fined under the new regulation?

We have seen Facebook fined for offences under the previous Data Protection Act (1998) and fines apportioned, commensurate with that regulation and this is entirely understandable, as the activities occurred and were reported under that law.

What of the new Data Protection Act?

Nothing.

There is no guidance for organisations, based on adjudications from the regulator. Not one organisation has been censured for their poor handling of personal data and so there is a growing feeling – almost a certainty – that the regulation is toothless. The regulator, especially so.

Why should any organisation spend a solitary penny on compliance when there is not even a threat of sanction? Where is the protection of the data subject, driven by expected data protection practices? There seem to be no additional protections driven by the regulation over and above the former Data Protection Act?

This is an interesting situation. We are now in a position where organisations can be found to be manifestly falling short of the requirements of the regulation wherever they collect personal data. Every organisation which captures personal data has an Article 13 obligation to explain how the data is to be used, on what legal basis, where the data will be processed and by whom.

In speaking with peers in the world of data protection it seems that boilerplate text, copied after a cursory Google search, seems to be the order of the day. These privacy notices fall short of the requirements of the regulation and are a manifest example of an organisation’s failure to adopt the requirements of the regulation.

Surely, these instances would be easy to sanction?

I can fully appreciate that an audit, commenced on the 23rd May 2018 when DPA(2018) came into force, would most probably still be under investigation. Expecting the ICO to produce a report on an organisation within six months of the regulation coming into force is na?ve, but the tools to compel organisations to meet their obligations are in place.

I’m led to believe that the ICO is receiving complaints from data subjects and that these are being logged and marked for investigation.

Elizabeth Denham has already intimated that the first effort of the ICO will be to educate, inform and guide towards compliance. Laudable. Not happening.

It would be the work of a matter of moments for a review of a website to see if there is a privacy notice and whether it would pass muster. An email to the organisation, outlining that they are under complaint and that first indications suggest that their data protection isn’t as expected, would be an excellent driver for organisations to pursue some sort of conformance with the requirements of DPA(2018). It would also serve to prevent a financial sanction, as the organisation would be building their defensible position prior to the audit; their mitigation would be being built and their potential fine lowered.

As it stands, the ICO is not serving anyone.

The data subject has to wait for their “day in court”. The organisation, which may be investigated with no prior warning, has no preparation in place. The ICO has stretched resources, so the situation is prolonged.

With no compulsion from the regulator, organisations (on the whole) will do nothing. Why spend ￡1000 in protection when the fine may never come along or be a fraction of the cost of compliance. It doesn’t make business sense.

This leaves us in the situation where we have a data protection regulation which isn’t protecting data subjects’ data.

We have had two years, from April 2016, for the regulation to be embedded and for organisations to be protecting person data.

Where was the leadership from the regulator?

Where was the preparation from the regulator? Salaries were appalling, and it is only comparatively recently that lobbying has allowed the ICO to break free of the constraints of civil service pay grades.

Guidance on the ICO helpline has been contradictory in many cases.

Email guidance has been poor. I have seen one query from one of our clients answered by the ICO talking about responding to an SAR within a month and mandating that our client accept scant proof of identity from the requester. The former is incorrect as the SAR arrived in early May (prior to GDPR) and the latter is incorrect because the SAR came from someone who was the recipient of a service from a data controller, our client being a processor. All under DPA (1998) – the guidance was given with no acknowledgement of the date of the request and the appropriate legal basis in operation.

Don’t forget – the ICO also had two years to prepare…

I appreciate that the ICO is cleaning up the older infringements and that these need to be decided. I also understand that they are investigating issues revolving around PECR.

The problem is that we are seeing precisely nothing in the way of guidance and compulsion from the regulator for organisations to follow.

We have all heard the “€20m, 4% of global turnover or €10m, 2% of global turnover…” but these are the extremes. The sanction regime needs to be proportionate and persuasive. Article 58 gives the regulator the opportunity “to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period” (Article 58(2)(d)) – surely there would be no cost to order an organisation to comply? It may save the organisation from being fined.

As it currently stands, the ICO is ineffective. It has not delivered for data subjects. It has not delivered for personal data users. It has not delivered anything other than web-based guidance and some cursory advertisements on the radio about the impending regulation, which started to be aired in – what? – April?

The ICO should direct attention to promoting data protection. It should seek to guide personal data users on their obligations. It should seek to advise data subjects of their rights.

The ICO should seek to do something…

I said at the outset that there might be a potential conflict of interest in this piece, due to the services offered by my company.

I am a data subject.

So are you.

I don’t feel that we are being helped by the ICO.

I would be happy to not see a single organisation fined because they realised the potential danger from fines, reputational damage and civil suits and took steps to avoid being placed in that situation.

As it stands, the ICO is doing none of this.

This is my vote of no confidence.

I don’t think that I’m alone in this.