With the General Data Protection Regulation (GDPR) recently passing its two-year anniversary of coming into force, there has been a lot written on what progress has been made when it comes to the protection of individuals’ personal data against misuse by companies. The Information Commissioner’s Office (ICO) has certainly come under significant scrutiny and pressure for its track record when it comes to enforcing GDPR so far.
At the time of writing this blog, there has only been one monetary penalty enforced under GDPR – Doorstep Dispensaree Limited for £275,000. This is despite receiving 38,514 complaints under GDPR in just the last year. The two largest headline cases have been Marriott and British Airway, where the ICO issued “Intents to Fine” of £99M and £183M respectively - ICO British Airways Notification, ICO Marriott Notification. Both fines were supposed to be enforced within 6 months of the intent notices being served, but a year on and both fines have been delayed with an expectation that they will be significantly reduced. Indeed, BA’s owners, IAG, have set aside a “Settlement provision” of only €22M for the fine in their latest financial report; a 90% decrease on the actual liability - IAG Six Month Interim Management Report to 30th June 2020
The ICO gave itself an “Adequate” rating in an internal audit. However, it is clear that the ICO is not only failing to uphold action on major companies, but also failing to address the more typical infringements by smaller companies. The internal audit cites the ICO’s “relaxed enforcement” stance during the Covid-19 crisis as a factor in their underperformance, but this does not explain the previous 18 months in which GDPR should have been regulated more robustly.
It is clear that the GDPR gives regulators significant regulatory “teeth” and should have ushered in a new era of data privacy. Putting Covid-19 aside for a moment, there may be a couple of other major factors which result in the ICO’s lack of success.
Firstly, is the scope of the ICO’s responsibilities too broad? They are currently accountable for:
- Data Protection (the GDPR)
- Freedom of Information Act
- Privacy and Electronic Communications Regulations (PECR)
- Environmental Information Regulations
- INSPIRE Regulations
- The re-use of Public Sector Information Regulations
Secondly, resourcing and funding are not in line with the challenge the ICO face when aiming to enforce GDPR.
The internal ICO audit highlighted “Managing the ICO’s reputation” as one of the primary risks for the organisation. Currently citizens believe the ICO lacks teeth and is too biased towards the interests of business. Businesses believe the ICO is poor at providing proactive support and clear guidance and IT industry commentators such as Wired, report that the ICO has “given up” on enforcement all together and is using Covid-19 as a cover.
It is clear, even to the ICO themselves, that they need to improve on effectively policing GDPR. Standing strong on the Marriott and BA fines would be a good start, but there has to be a broader strategy and plan if confidence in data privacy protection is to be ensured in the UK. An American consultant has reportedly been brought into the ICO to consider their powers in light of a Parliamentary enquiry last year that concluded - “The GDPR should offer a substantial level of protection for people’s personal data, but this does not seem to have materialised in practice. The Government should review whether there are adequate measures in place to enforce the GDPR and DPA in relation to how internet companies are using personal data, including consideration of whether the ICO has the resources necessary to act as an effective regulator (Paragraph 105) - Parliamentary Enquiry into Data Protection and ICO enforcement