Are the ICO enforcing or not?
Major public health emergency or not, it’s easy for organisations to look back at the last (nearly) two years since GDPR came into force in the UK and think the ICO aren’t enforcing much – in fact to date (April 2020) the ICO has only taken one GDPR enforcement action so far, along with some intentions to fine (back in 2019) and whilst they have been busy enforcing under old-data protection (Data Protection Act 1998) such as the recent Cathay Pacific fine, if you visit their “Action we’ve taken” page you’ll see that the last enforcement action dates back to 13th March.
However, don’t think this means they’re not doing anything. Just because something doesn’t end up in an enforcement action, don’t think this means you can get away with being a little relaxed with your GDPR compliance. I know from working with businesses that they are indeed dealing with GDPR enforcement, it’s just that it isn’t leading to fines or enforcement action (or media scrutiny). Remember, you just need one disgruntled data subject to complain about you or for you to suffer a data breach which could cause harm to an individual, and the ICO may be getting in touch wanting to hear your side of the story. That could lead to enforcement action, but more often than not, initially at least, you’ll be defending yourself and justifying your actions… and then there’s the wait, whilst the ICO decides what action (if any) they’re going to take – yes that could be no action, but it could be a list of recommended actions for you to put in place, or indeed it could lead to a fine or other enforcement action. Regardless of how much effort you’re putting into ongoing GDPR compliance, do you want that hanging over you? Do you want to the worry that you might not have done enough to appease the regulator? And, if you’re thinking, but enforcement is just about the big guys, they don’t go after smaller business, tell that to Doorstep Dispensaree Ltd, Michelle Shipsey, Hudson Bay Finance or True Visions Productions – unless you follow the ICO enforcement action, you’ve probably not seen or heard about them in the media…
Bringing this back to the current Coronavirus crisis
Recently, I’ve heard all kinds of speculation ranging from the ICO is not going to enforce whilst businesses are struggling, to, they’ll only have time to go after the big-businesses, that’s all they’re interested in, they are after all going to be struggling themselves with their employees working remotely or having to home school or possibly off sick with COVID-19 infections. I’ve also heard people say that it’s everyone for themselves and they’ll take their risk and market (spam) to everyone and worry about ICO enforcement later – desperate times, call for desperate measures, right? Whether you believe that or not, it is up to you and your view on risk. Can you afford to risk an investigation let alone an enforcement?
Until this week, the ICO have said very little about their position on enforcement and compliance, just indicating that other than their offices being shut (so don’t send them anything in the post), it’s business as usual. However, on the 15th April, they published their regulatory approach during the Coronavirus public health emergency. In this policy document they reflect on the challenges everyone is facing and how their “pragmatic and proportionate” approach will be applied during the pandemic:
- They will continue to recognise the rights of individuals under data protection and privacy law
- They will focus their efforts on the most serious challenges and threats to the public
- They will assist frontline organisations in providing advice and guidance (e.g. for those that provide healthcare or other vital services)
- They will take firm action against those attempting to exploit the current health emergency through nuisance calls or misuse of personal data
- They will be flexible with their approach, taking into account the impact of their actions
- They will provide as much support for business and public authorities as they recover from the emergency
In terms of supporting organisations (particularly these in the frontline), they have committed to:
- Identifying and fast tracking advice and guidance and tools needed to help everyone recover from the crisis
- Reviewing the economic and resource impact of any new guidance, delaying guidance that could impose a burden or divert staff from frontline duties
- Providing practical support to the public on what to expect with regards to exercising their rights, including advising where appropriate a “bear with us” understanding
- Handling complaints about organisations in a way that presents less burden on frontline organisations (e.g. taking longer than usual to deal or avoiding engaging with the frontline organisation)
- Developing further regulatory measures for the end of the crisis to help support economic growth and recovery
But when it comes to regulatory action:
- The ICO “will continue to act proportionately, balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking into account the particular challenges being faced at this time“
- You are expected to continue to report personal data breaches (where the law requires you to do so) and within existing timeframes (i.e. within 72 hours of becoming aware of the breach)
- The ICO will conduct investigations with the Coronavirus crisis in mind, including reducing any burden on already stretched resources, extending timescales for responses
- The ICO expect to be carrying out fewer investigations, with a particular focus on serious non-compliance
- They “will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis“
- They have paused their audit work
- In deciding whether to issue formal regulatory action (including fines), the ICO will take into account whether the infringement is a result of the crisis and whether it will be rectified once the crisis is over
- They may consider longer than usual timescales for rectification of any breaches that predate the crisis, where the crisis impacts an organisations ability to put things right
- All formal regulatory action in connection with outstanding FOI requests is suspended
- The economic impact of fines and their affordability will be considered and could result in lower level of fines (I wonder what this will mean for the BA and Marriot Hotel fines that were announced last year?)
- They may not enforce the data protection fee, if evidence can be provided for economic reasons for it not to be paid (although you’ll be expected to set a timescale within which you will pay)
- They will consider the current issues if they deal with complaints about subject access requests, particularly if the organisation can demonstrate Coronavirus challenges that have led to non-compliance in this area
The ICO concludes in their paper:
With the correct application of flexibility in regulatory response, we do not consider that any of the legislation we oversee should prevent organisations taking the steps they need to in order to keep the public safe and supported during the present public health emergency. There is plenty of flexibility built in to the legislation for organisations to use in such times, including some specific public health related exemptions.
We have prioritised our services to provide additional guidance for organisations about how to comply with the law during the crisis.
We will continue to apply this flexible and pragmatic approach to our regulatory response during the crisis and will also be aware that some effects will be felt for a significant time at the conclusion of the emergency. This means that some flexibility will continue to be necessary in some areas for many months to come.
So, some flexibility, but business as usual when it comes to GDPR compliance. Still thinking you may worry about GDPR less?
If you want to keep up to date on the key GDPR updates (Coronavirus or not), then subscribe to our free Article 13 Newsletter (sign up below👇). And if you want to hear about enforcement action, analysis of ICO fines and regulatory action, then that’s part of our Helpline subscription services.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR