show image

Oscar Williams

News editor

GDPR: How the ICO plans to enforce the sweeping new regulations

The EU’s new General Data Protection Regulation comes into force today, ushering in new rights for citizens and new powers for regulators.

Like many organisations, the ICO – the UK data protection regulator charged with enforcing the regulation – has been preparing for today’s deadline for the last two years, and it has not been an entirely painless process.

Elizabeth Denham, the information commissioner, revealed last autumn that her office was losing many of its most experienced staff to the private sector in the run up to the compliance deadline.

“It’s not just the sort of base line turnover figure it’s the experience of people that you can end up losing,” Jonathan Bamford, head of parliament and government affairs at the ICO, tells NS Tech. 

The government responded to the brain drain by giving the regulator greater flexibility on pay, a measure Bamford says has started to pay off. “In my area of work, we’ve not seen anything like the turnover that we were seeing.”

The ICO has welcomed just over 70 staff in the past 12 months and plans to take on at least another 150 in the next two years. Around 200 case-workers currently work on issues raised by the public, while a 60-strong enforcement department manages investigations and a similar number of staff are tasked with developing information rights policies and engaging with the businesses that implement them.

The policy team is currently consulting businesses and the public on a new regulatory action policy that offers a flavour of the kinds of offences that are of the greatest concern. In the case of a breach, the nature of the information, the size of the dataset and the measures put in place by the offending organisation will determine the response.

“With the Cambridge Analytica scandal, you’re seeing a coalescence of these things,” says Bamford, referring to the regulator’s investigation into the use of data in political campaigns. “There are quite a lot of numbers involved and really important public issues there. That’s why we’re galvanised into action in that area.”

Bamford says the ICO doesn’t plan to pick on particular industries now GDPR has come into force. But he warns that the use of data by some public sector bodies is of particular concern. “With public sector data, where you don’t have any choice but to provide information to public bodies or the police have information then clearly that’s something where you need to make sure that the regulatory arrangements are appropriate. It’s not like choosing to do business with one company over another.”

A Spiceworks study published yesterday suggested that just 60 per cent of UK businesses are prepared for GDPR today. Previous studies have suggested that small businesses and charities are most likely not to be compliant after the deadline passes.

This morning, Denham issued a statement seeking to reassure those that were not yet ready for the regulation. “I’m sure many of you are prepared and ready to go. But to small and micro-businesses, clubs and associations who are not quite there, I say … don’t panic! Today is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data. My office is looking forward to continuing to work with you to help.”