UK: Reflecting on the ICO’s “GDPR – One year on” report

We reflect on the ICO’s report “GDPR – One year on”.

The message from the ICO is clear. Everything has increased in the last year – significant increases to the level of public engagement and awareness of data privacy; the number of data breaches reported and the ICO’s own resources have been stepped up to match (and its increased fees are being used to support this). A big focus has been on raising public awareness of the potential of personal data and the data rights of individuals. The ICO’s “Your Data Matters” campaign has led to a 32% upturn in users accessing its website and it has seen an increase of 66% of engagement with its helpline and written advice services. Looking at the culture of privacy in organisations, its survey of DPOs encouragingly highlights that DPOs are satisfied with the senior leadership support they receive from their organisations and over 90% of DPOs have an accountability framework in place.

The ICO has also been busy preparing guides and interactive tools, as well as statutory codes in areas of special import – age appropriateness, direct marketing, data sharing. It has been involved in high profile work to rein in the lawful use of personal data in political campaigning. The message on this is that the ICO’s wider powers under GDPR has enabled it to issue “no notice” assessment notices and urgent information notices, meaning it can investigate high profile organisations at a pace much quicker than permissible under the old regime.

The subject of enforcement is an interesting one: some critics have argued that regulators haven’t exploited the potential that the big fines could have in clamping down on unlawful practices. The ICO maintains that enforcement is not just about big fines, but rather, using the wider ranging powers the GDPR gives it to “pull back the curtain” on processing where the public has concerns and to change behaviours. Its recent action against HMRC, ordering it to delete records of five million individuals is cited as an example of this. The fact is, the regime is still in its infancy, let’s give the regulator time to use the financial penalties wisely.

As expected, the number of personal data breaches reported to the ICO has increased dramatically under the GDPR. In fact the rise is 400%. A high proportion of these cases required no further action from the organisation, but this is not considered an issue – the ICO views over-reporting of data breaches as a positive demonstration that businesses are taking GDPR seriously and are being proactive. But at the same time, the ICO does recognise that it remains a challenge for organisations and DPOs to assess and report breaches within the statutory timescales and is showing willingness to provide support and guidance where it can on this topic.

The report also serves to highlight that, Brexit or not, the ICO wants to be – and has the credibility to be – centre stage at a national,  European and global level – with recognition of its role as elected chair of the International Conference of Data Protection and Privacy Commissioners.

The ICO is also ready to be at the forefront of innovation – putting resources into keeping pace with developments in cyber security, AI, machine learning, facial recognition technology and whilst its Sandbox is in its infancy, the ICO hopes that this will drive innovation and be used for cutting edge technology to help ensure new technologies can be pioneered in a data privacy compliant way.

So while to a certain extent, it is still too early to tell how successful the GDPR regime really is, the ICO’s closing remarks on the report apply equally to it, as it does to organisations embedding a culture of privacy and data privacy practitioners: “As the public’s attitudes to how their information is used changes, we have an opportunity to make a real difference.”

For further information, please contact Alexa Smith (Legal Director, Leeds).