Since GDPR came into force in May 2018 there has been a sharp rise in overall awareness of the legislation amongst organisations of all size. In the 2018 Cyber Security Breaches Survey, which was published pre-GDPR implementation, only 38% of businesses and 44% of charities were aware of the then upcoming law. By the time of the 2019 edition of the Survey, this had risen to 88% of businesses and 94% of charities.
One of the reasons behind this increased awareness is the work undertaken by the Information Commissioner’s Office (ICO). Their role in prominent investigations into the data processing activities of Cambridge Analytica (in relation to Brexit), Facebook and Uber coupled with their GDPR awareness campaign “Your Data Matters” has led to increased public knowledge of data protection law.
For most people, this will be the extent of their understanding of the ICO, with it being thought of primarily as the organisation responsible for investigating and fining those who breach GDPR. Yet it has a far broader range of responsibilities, and even in cases where it does investigate, it does not always issue fines.
As part of our “Introduction to…” series, this article will breakdown the ICO’s key responsibilities and also explain why it is a useful resource for SMEs. For the other articles in the series please see our Introduction to the NCSC and our Introduction to Cyber Essentials.
What is the ICO?
The ICO was founded in 1984 as the Data Protection Registrar, tasked with overseeing the Data Protection Act 1984. In the beginning it was a small organisation with only 10 employees. Over the years its remit grew, often as a result of changes in data protection law at the European level, and today the ICO, led by the Information Commissioner Elizabeth Denham, has more than 700 employees working across a variety of different departments.
As the organisation has evolved, so too has its mission statement. The first, produced in 1994, declared: “We shall promote respect for the private lives of individuals and in particular for the privacy of their information by: implementing the Data Protection Act 1984; influencing national and international thinking on privacy and personal information.”
The current mission statement is even briefer: “To uphold information rights for the UK public in the digital age.” This somewhat understates the breadth of the ICO’s role. Formally speaking, they have specific responsibilities set out in the Data Protection Act 2018 (DPA 2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
In reality, most organisations will have little interaction with these other Acts/Regulations. They are too specialized. For the majority, the most relevant are the GDPR, the DPA 2018 and PECR (soon to be replaced by the ePrivacy Regulation).
With regards to the GDPR and the DPA 2018, the ICO serves as the UK’s Data Protection Authority. What this means is that they are the independent body “that supervise, through investigative and corrective powers, the application of the data protection law (i.e. GDPR).” They also “provide expert advice on data protection issues and handle complaints lodges against violations of the General Data Protection Regulation and the relevant national laws (in the UK, the DPA2018).” There is one in each EU Member State.
As a rule of thumb, the main point of contact for questions on data protection is the Data Protection Authority in the EU Member State where your company or organisation is based. Therefore, for many UK based organisations, their first port of call for queries, concerns or complaints about GDPR should be the ICO. However, if your organisation processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a Data Protection Authority in another EU Member State. A full list of EU Data Protection Authorities can be found here.
What does the ICO do?
As mentioned above, as the UK’s Data Protection Authority, the ICO is responsible for supervising the application of data protection law. They do so through use of “investigative and corrective powers”. Crucially, these are powers that have been significantly enhanced by the GDPR.
Under the Data Protection Act 1998 the Information Commissioner only had compulsory audit powers in respect of central government and health organisations. Otherwise companies had to agree to an audit. Under the GDPR and the DPA 2018 the Commissioner is able to issue formal assessment notices to any organisation, either public or private. With these new powers of inspection the ICO are able to proactively respond to complaints from the public regarding violations of their data subject rights.
The action taken as a result of an audit depends on the nature of the incident investigated. The ICO do not always take further action. For example, in the case personal data breaches investigations (where organisations report themselves to the ICO), the regulator ruled that in 82% of cases they assessed, no further action was required. Nor do they always issue monetary penalties. The ICO has a range of other options, including: requiring the organisation to agree to an improvement action plan, further investigations audit visits or issuing an Enforcement Notice (which requires the organisation in question to comply with data protection law).
Fines, particularly the significant sums recently issued to British Airways and Marriott International, are, statistically speaking, a rarity. As the ICO made clear in their most recent annual report, their aim in using their powers is to “change behaviours” to ensure that individual rights are upheld and that organisations comply with the law. Recourse to monetary penalties, under this goal, is reserved for the most egregious cases or when previous action has failed to lead to an improvement (if, for example, an organisation suffered another breach after being issued with an Enforcement Notice).
However, the ICO is not a purely punitive body. There is a ‘positive’ side, if you will, to their compliance and enforcement activities. They provide a rich array of resources to help organisations of all types. During 2018-19 the ICO put comprehensive guidance in place, the Guide to GDPR, which helped organisations with the process of embedding GDPR and DPA 2018 into their work. According to the 2019 Annual Report, the guidance has proved incredibly popular, with the Guide to GDPR garnering over 15 million view on the ICO’s website during 2018-2019.
The ICO also plays an active, front foot, role in lobbying the government to ensure the information rights of individuals are afforded comprehensive protection. When they believe there are deficiencies in the existing law, they will advocate for change. For instance, in their report Democracy Disrupted the ICO put forward ten recommendations to help bolster the safeguards around the use of personal data in political campaigns.
Why is the ICO important to SMEs?
Similarly to the situation I discussed in my article Introducing the NCSC, SMEs face a number of unique challenges when looking to comply with data protection law. This is something the ICO itself acknowledges; “we recognize that it hasn’t been easy for small organisations to become compliant with GDPR and DPA 2018.” Legal bases for processing, data auditing and privacy policies take time to understand and “there are no quick fixes for making sure people’s personal data is being processed legally.”
To help SMEs understand their data protection responsibilities, the ICO has provided a suite of resources, support and guidance on their website, tailored to the needs of sole traders and small organisations. These include toolkits and checklists, podcasts and FAQs. This SME resource library is something the ICO are looking to build on in the future. Per their 2019 annual report: “we are currently exploring establishing a “one-stop shop” for SMEs within the ICO. This department will draw together expertise from across our regulatory teams to help us better support all SMEs.”
The ICO also looks to foster innovation amongst SMEs. To this end they have established a Regulatory Sandbox to support organisations who are developing products and services that use personal data in innovative and safe ways. Organisations selected will have the opportunity to engage with the ICO; draw upon their expertise and advice on mitigating risks and ‘data protection by design’, whilst ensuring that appropriate protections and safeguards are in place.