ICO calls for greater powers to enforce data protection compliance

Information Commissioner Elizabeth Denham has called for extended powers for the ICO after admitting the privacy regulator faced a struggle to keep pace with developments in data analytics.

The ICO was in the midst of a comprehensive investigation into the use of data in political campaigns when the Facebook-Cambridge Analytica scandal emerged to make data protection a mainstream concern and government priority.

The GDPR will give Denham the power to audit any organisation using personal data, but her investigation is proving that her future powers are already being outpaced by technological advances in data analytics.

"I want to see this addressed," she said at the IAPP Europe Data Protection Intensive conference in London.

"I am in intense consultation with government, to ensure that, as part of the Data Protection Bill, the ICO has the ability to move more quickly to obtain the information we need to carry out our investigations in the public interest.

"We need to respect the rights of companies but, we also need streamlined warrant processes with a lower threshold than we currently have in law.

"We need the regime to reflect the reality that data crimes are real crimes. As society moves increasingly online, data protection law needs to have the comprehensive reach people would expect of laws in the physical world."

GDPR myth busting

Headlines around the GDPR often focus on the increase of maximum fines for data breaches to €20 million or four percent of global turnover. Denham said that much of the press coverage was scaremongering and that maximum fines will not become the norm.

"I have spent a lot of time busting myths in this area, particularly the misinformation about massive fines being an ICO default under the GDPR," she said.

"I have no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route."

Read next: GDPR tips: How to ensure compliance with GDPR

Denham added that while hefty fines would be levied on those who "persistently, deliberately or negligently flout the law" they would likely be averted if organisations engage with the ICO and show effective accountability measures.

In many cases, fines would be less appropriate and effective than compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders.

She also clarified that breaches only need to be reported if there is a high risk of them adversely affecting a person's rights and freedoms.

Another GDPR myth she sought to dispel was over breach reporting. It will only be mandatory to report a personal data breach to the ICO if it's likely to result in a risk to an individual's rights and freedoms.

"It's always worth repeating," she said. "You will not need to report every single personal data breach to the ICO."

Changes at the ICO

Denham is currently adding numbers and expertise to her team to ensure it is ready for the GDPR and has introduced a secondment programme to add the skills of legal staff, auditors and international liaison experts.

The regulator has also published its first technology strategy, which focuses on cyber security, artificial intelligence, and device tracking.

It will also launch a "regulatory sandbox" in 2019 in which users can beta test new initiatives that can be developed into safe products and services.

The plans will be supported by an increase in the ICO's annual budget from £24 million to £38 million next year.

Read next: The most significant UK data breaches

Denham praised the government's commitment to fully implement the GDPR rules, but added that further clarity was required over the ICO's role in the EU after Brexit.

"The most significant unknown from my point of view is the exact nature of the relationship with our [data protection authorities] colleagues across Europe," she said.

"During two recent speeches the prime minister has made the case for an ongoing role for the ICO – whether that's a seat on the European Data Protection Board with voting rights or some other form of relationship, the government and the EU can decide.

"The ICO is deeply committed and embedded in the EU regulatory community. And that is the message I've been giving to parliamentarians when giving evidence to committees looking at the implications of Brexit."


Copyright © 2018 IDG Communications, Inc.

Shop Tech Products at Amazon