Tuesday 13th October 2020

The Information Commissioner’s Office (ICO), Britain’s data protection regulator, has recently altered how it enforces breaches to the General Data Protection Regulation (GDPR) and the multitude of British data protection legislation. The non-departmental public body seems to be returning to its pre-COVID capacity, but the question remains if that is enough.

The ICO is undoubtedly needed in 21st century Britain as a safeguard against data misuse. It deals predominantly in organisations that err in “processing personal data”, meaning data that is processed in a way that is not automated, and belonging to an identifiable, alive individual. When investigating organisations, they have the power to fine 4% of a company’s total annual worldwide turnover, investigate and criminally prosecute data breachers, and enforce absolute bans on processing data.

Earlier in the year, the public body was remarkably lenient with GDPR breaches, stating that the unenviable shifting of resources for companies and the government during COVID-19 justified only pursuing the most egregious of data violations. However, with the 24th September announcement that the ICO will now request the unsuspension of the backlog of Freedom of Information requests, and the demand that organisations must resolve them within a “reasonable timeframe”, it is clear that the ICO is now returning to normality. For companies, the ICO has further stated that they will adopt a “pragmatic” and “empathic” approach to data breaches, but it is clear that there is some semblance of normality creeping in, with the ICO demanding that personal data breaches must be logged within 72 hours.

The ICO has also reiterated that they will take “strong” action against any organisation wishing to use the pandemic to their advantage to abuse personal data. However, this announcement reads as more of an assurance than a warning. It comes after its auditors labelled the ICO as only “adequate” in “risk management policies, procedures and practices” and after Members of Parliament berated it for its poor handling of the GDPR concerns for the Test and Trace scheme. To the ICO, scrutiny of this veracity is nothing new. Its short portfolio of companies that have actually been fined is regularly criticised. It is also worth noting that its most significant punishments, the British Airways fine of £183 million and the Marriott fine of £99 million, are only 1.4% and 0.5% of each company’s turnover respectively. It is therefore understandable why the ICO is quickly being seen as a “toothless” institution, and with the closing of its fruitless three-year investigation into Cambridge Analytica and SCL last week, it is becoming increasingly difficult to find its success stories. Certainly, the ICO is returning to normal, but with public support waning, it seems likely that reform is on the horizon.