I’ve heard a few times recently a general nonchalant approach to data protection compliance and a feeling that the ICO’s only after the “big boys”. After all if the mainstream media is the only guide you have to what the ICO is up to, then fair enough, they’re only interested in reporting the big fines and the household names (for example BA and Marriott – which incidentally neither have translated into any actual action so far (and the original intentions to fine were in the summer of 2019!)). Granted the ICO have only fined one company under GDPR, but they have actioned quite a few under old Data Protection (which occurs when a breach occurred before May 2018, when GDPR came into force, for example the recent case against Cathay Pacific (which is from March and still the headline enforcement action on their “Action we’ve taken” page)).
On the face of it – I get it. Difficult to see why you should worry about data protection when there seems to be little ICO action to indicate you might be at risk. But what if they’re busy, you just don’t know about it? This is one of the key takeaways you should take from the ICO’s 2019/20 Annual Report. Covering the 12 months to 31st March 2020 the report includes details of their main achievements (publication of the Age Appropriate Design code, launch of their regulatory sandbox, etc.), but it also includes some of the stats around just how busy they have been on the enforcement workload side:
- 38,514 complaints with 60% resulting in an infringement
- 395,197 calls to the ICO helpline, 54,052 via live chat, 22,050 written responses
- 11,854 personal data breaches reported, although 95% of them not resulting in action; most breaches (20%) of them were in the health sector, 17% in general business and 14% in education
- 127940 reports were received relating to issues regarding PECR (Privacy Electronic Communications Regulations – the law regarding direct marketing and using cookies) including 2544 complaints about cookies
And that’s not all. If you look at the Enforcement section of the ICO’s website, you’ll see just what they’ve been actioning, in 2020 alone so far (as of 24th August 2020), they:
- Fined DSG Retail £500,000 for security failings
- Prosecuted a former social worker who passed personal data of service users to a third-party
- Fined CRDNN £500,000 for making more than 193m automated nuisance calls
- Fined Cathay Pacific £500,000 for failings in its IT systems (server security, server patching, lack of access controls)
- Prosecuted a Town Clerk for blocking a Freedom of Information request
- Fined Black Lion Marketing £171,000 for unsolicited direct marketing calls
- Fined Decision Technologies £90,000 for email marketing breaches caused by third-parties they’d used to send emails
- Fined Rain Trading £80,000 for unsolicited marketing calls
- Fined Koypo Laboratories £100,000 for unsolicited marketing emails
So, just because it’s not reported in the mainstream media, doesn’t mean the ICO aren’t dealing with compliance. And what if someone complained about your organisation’s data handling? Do you have all the right answers for the ICO – they could ask for your register of data processing activities, or want to speak to you about an alleged infringement, and in some cases they may even ask you to participate in a consensual audit.
If you’re happy to take the risk of dealing with an issue if/when it happens then fine. If you’re not so happy to take the risk, then let’s talk about how we can help you to put all the necessary measures in place to minimise that risk.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR