I am on record as having a very poor view of the ICO. I don’t believe that they are fulfilling their Article 57 requirement to “monitor and enforce the application of this Regulation” (Art.57 (1)(a)) or in their responsibility to “promote the awareness of controllers and processors of their obligations under this Regulation” (Art. 57(1)(d)).
It’s easy to keep taking pot shots, but I think it’s better to try to share suggestions for improvement so here’s my take on some positive, practical suggestions to try to help the ICO to fulfil its mandate.
My main concern is that some of these suggestions might already be happening, however, I have worked in data protection sufficiently long to know that if I haven’t heard of these things happening then it may not entirely be my fault. There is a problem of communication from the ICO; hence the issues with the purportedly large numbers of organisations which haven’t completed their compliance efforts.
I think that there are a number of things which could be done to improve the current situation, but they have to be predicated on ‘education’ first and foremost.
It would be iniquitous – even this late in the process – for the ICO to hammer organisations with sanctions when the advertisement around GDPR was originally mostly based on scare tactics from the “snake oil” merchants. or vendors inflating their prices in what they perceived to be a “boom” period for their products. Organisations have often reacted to the interpretation of the law from a vendor with something to sell rather than objective guidance from the regulator.
I appreciate that market forces will always come into play in situations such as this, but these forces need to be tempered by an informed marketplace; the information asymmetry around regulatory expectations meant that those organisations which tried to comply often had their fingers expensively burned on sub-par advice from newly-minted “experts” or systems which had “GDPR” tacked onto them and which didn’t deliver anything to support the organisation’s compliance efforts.
Is it any wonder that some organisations have adopted the approach that they can prove that they have spent good money and are now unwilling to see whether it has helped them to protect their businesses?
UK businesses have had nearly two-and-a-half years to comply with the regulation, but the Press suggests that those in a state of compliance are still in the minority.
It appears that the ICO is under-funded. It would be a waste of resource to undertake a media campaign this late into the process. What the ICO lacks in funds they no longer lack in staff. The regulator employs nearly 700 staff (from a low of around 150). Complaints have arisen about the quality of advice from ICO staff, so this suggestion helps to address both sides of the education coin.
Engage with trade groups (Chambers of Commerce, Federation of Small Businesses, SRA, CBI possibly) and social organisations (religious groups, sports associations, etc) and offer free seminars on what the ICO expects to see from organisations.
This would comparatively cost very little and would be seen as a gentle reminder to those businesses which haven’t fulfilled their legal obligations. From recent surveys, this would be the majority.
Make this a regular arrangement so that no one can say that they weren’t warned.
Advise these organisations that the threat of sanction is real, but deliver the message in a balanced, sensible way so that there is no sales pressure behind it – just a statement of fact from the UK’s data protection authority.
Offer a select number of volunteer attendees an amnesty in exchange for an audit on a time-limited basis. This would be no different from the regular “no questions asked” knife and gun amnesties which the police sometimes offer. Offer companies a six-month period to volunteer for an audit and select a good representative group.
After six months, the amnesty ends. Those who were audited will have directly-applicable information to improve their data handling. Others in that particular industry could review the audit and learn from that. Anyone else? Well… You had your chance.
An audit within an amnesty would help businesses to understand what their responsibilities are (without fear) and would give some of the ICO staff an opportunity to get some (much needed) real-world experience.
The price of the audit would be to speak at a future engagement event (FSB, CBI, etc.) to describe what was involved, some of the issues discovered and what treatments were recommended. A story, told by a peer, is going to have more weight than any sales pitch from a vested interest.
A “finger in the air” idea of the cost of a fine for the audit (if there is a transgression) would also make data protection fines more “real” to attendees. This would also help to fulfil the Art.83(1) requirement on the ICO that “the imposition of administrative fines… shall in each individual case be effective, proportionate and dissuasive.”
Having an actual financial figure for an audit outcome would enable organisation leaders to gauge what the cost/benefit would be, if only in purely financial terms for the fine. They would, presumably, be well enough acquainted with their own industry to know what sort of reputational damage may occur and the potential number of data subjects’ civil claims.
A general list of easy wins would help organisations to make small but potentially high-impact changes to their operations in order to protect data subjects.
Purely from a user experience perspective – please change the website. I often hear other practitioners say, “But – all of the information is on the website?!”
Taking a step back and looking at the site from a non-practitioner perspective, it doesn’t deliver. It should offer more content dealing with the generalities of compliance so that organisation leaders can actually understand what is required. The website for CERN’s Large Hadron Collider is engaging, despite the fact that it deals with matters (and “anti-matters”?!) which are massively outside of a normal person’s scope of understanding.
If the ICO undertook the “Education” and “Amnesty” route, outlined above, there would be a wealth of industry-specific information to build into the real-world expression of how the regulation operates.
…and there are plenty of “royalty-free” pictures available in order to brighten up the page and make it more welcoming the passing visitor.
I have said this elsewhere, but there needs to be evidence of the ICO in operation amongst the types of businesses which aren’t going to attend industry groups such as the FSB or CBI. These organisations are likely to be the type which see the Data Protection Act (2018) as something which concerns other people, not them.
I visited a website a short time ago which said that the site was run under the guidelines of the Data Protection Act (1998) and by submitting my personal data I was agreeing to marketing materials being sent to me.
Surely, this is an “open and shut case” that this organisation is ignoring their legal responsibilities?
I phoned the ICO. I was told to report it to the website owner and – if I’d had no response within 28 days – to come back to the ICO and “We’ll see what we can do about it.”
If I saw someone throw a brick through a shop window, I would call the police with a description of the individual, the time of the offence and any associated information and let them deal with it.
If I saw someone pouring oil into a stream, I would contact the environmental health services with as much evidence as I could gather and let them deal with it.
If I disagreed with a government policy, I would make my case to my local MP, who should speak on my behalf.
I had given the ICO person on the phone the URL of the website and the wording of the message, but they expected me to pursue this on behalf of all of the other data subjects who would be affected. Whatever happened to the ICO’s Article 57 (1)(a) responsibilities around monitoring and enforcement?
Presumably, the ICO has a case management system for investigations.
When a data subject calls with a prima facie case where an organisation is in breach there may not be enough resource to don the blue “ICO Enforcement” jackets and wade into the head office of the organisation (or enough of a reason).
My complaint – and I’ve heard this from others – is that no record was made of my report. If a case file was opened then it could be used to gather evidence, or even mitigation to show that the organisation is receiving complaints from mischievous and malcontent data subjects.
If a growing body of complaints suggested that a company was ignoring their responsibilities within the regulation then the ICO could act. Send an email, make a phone call – anything – to advise the organisation that their behaviour isn’t what is expected.
Ultimately, this is to protect the data subject. It is also to enforce the regulation. It is a manifest example of the ICO engaging with organisations and advising them.
The more egregious breaches should be investigated quickly and the ICO should not be frightened to enforce the cessation of processing. Draconian? Why? It’s within the regulator’s powers and if it protects data subjects – how can that be wrong? It would also get the message out that data protection is an important factor in modern life.
The ICO can’t parade all of their work with Cambridge Analytica and Facebook and then expect people to accept that their banking details or health matters are “fair game” because no one at the ICO took the effort to record early warnings of serious transgression.
For the more mundane and less serious issues, a formal notification that the ICO is aware of the organisation’s operation would be a decent shot across the bows in order to suggest more work needs to be done to address shortcomings in the organisation’s stance on data protection.
Taking this approach would fulfil the ICO’s Art.57(1)(a) responsibilities to some extent. It would also bring data protection into a position with some context and it would further serve to underpin the ICO as a regulator in the minds of data subjects everywhere.
It might be easier to solve the issues around an absence of engagement from the regulator if there was a bottomless pit of money. Back in the real world, this isn’t going to happen.
I have tried to outline some low cost, high impact strategies which would enable the ICO to fulfil its legal responsibilities and – first and foremost – protect the data subject.
I don’t believe that at any point I have used this article to try to create further business directly for data protection practitioners. With a strong, fair regulator, there is no reason to artificially create a market for data protection practitioners. An informed market is better for everyone and would avoid organisations making purchases more in hope than expectation.