ICO’s priorities and impact of our work

2 Aug 2021 12:49 PM

The Daily Telegraph recently (31 July 2021) ran a story about the focus of the ICO’s work and the impact that we make.

The article criticises the ICO's choice of regulatory priorities. As a regulator responsible for the whole economy, including the public sector and Government, with an important international mandate, our work requires us to make often difficult choices about how best to protect the public while enabling the responsible use of personal data.

We reject the claims that we chase headlines

The ICO takes a proportionate, pragmatic approach to its regulatory responsibilities. The approach is designed to build the public’s trust and confidence in data protection.

Modern regulation uses a wide range of tools. Fines and penalties are always a last resort.

Our work to advise organisations, helping them make changes and improvements to comply with the law, is the most effective way of reducing misuse of people’s data. Where monetary penalties are needed, we haven't shied away from using these powers, but effective regulation is about far more than the number of monetary penalties issued.

Our approach has been praised by business and government alike. Anthony Walker, deputy CEO of TechUK, speaking at their 2020 Digital Ethics Summit, said the ICO had “played a fundamental and important role” in developing digital ethics in the UK. John Whittingdale, Minister of State for Media and Data, speaking at the Data and the Future of Financial Services 2021, described the ICO as one of the most important regulators in the UK, adding: “I should like to thank Elizabeth Denham for the great job that she has done.”

In response to the claim that nuisance call fines have remained static despite the growth in size of the ICO

Following the introduction of the new data protection law, the GDPR in May 2018, the ICO has doubled in headcount, with a focus on increasing the technical, legal, and economic expertise in line with our increasingly complex technical remit.

Tech companies based across the world have a huge presence in the UK, processing UK citizens data. With our responsibility to protect the public, we need to understand and engage with these companies as well as to provide as much regulatory clarity and certainty to all the organisations we regulate.

Our growth has also involved increasing the number of people working in our teams dealing with complaints from the public and enquiries from small businesses as demand for these services has doubled since 2018. Over a third of all ICO staff now work in these public facing services.

With specific reference to nuisance marketing, the ICO has always, and continues to, take action where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s information rights at risk.

Since April 2015, a total of £13,598,500 in PECR fines has been issued.

Where we identify organisations that can pay but won’t pay, we will pursue formal recovery action, via our financial recovery unit, which can result in insolvency. Equally, where directors seek to avoid payment via insolvency we actively exercise our full rights as a creditor, including nominating Insolvency Practitioners whose investigations can result in personal claims against directors. We also work closely with other enforcement agencies to disrupt and obstruct seriously non-compliant directors who, for example, may persist in continuing to make nuisance calls or send unsolicited spam despite our fine. This can result in directors being disqualified and further civil action or criminal prosecutions.

The nuisance call industry is growing in scale and complexity. Our successful and effective regulatory interventions in this area are now far more sophisticated and labour intensive than in 2015. Our record of being able to issue a consistent level of penalties year on year and take wider disruptive action is evidence of our continued commitment to this work.

We continue to work with our fellow regulators and with government to best direct and co-ordinate our collective resources on this important issue.

In response to the claims about the ICO’s approach to international travel

The ICO has an extensive remit both domestically and internationally, and ministers have been supportive of the ICO’s current leadership role among its data protection regulator counterparts.

It is vital for the work of the ICO that the Commissioner has a visible role, championing the rights of the public and directly engaging with stakeholders across the whole economy the ICO regulates. Any travel commitments for the Commissioner, or any member of ICO staff, are proportionate to the role and accounted for transparently. When travel to multiple overseas locations is necessary we work hard to reduce the number of flights involved.

Our statement, which was published in the Telegraph, in full

An ICO spokesperson recently said:

“The Commissioner travels internationally when required, as the ICO’s work is both domestic and global.

“Our approach of working with organisations and taking proportionate action is making a real impact in protecting people’s rights, from how charities use donors’ information to changing how police use data from victims’ mobile phones to supporting innovation through the Covid-19 pandemic.

“This approach helps to build the public trust in data-driven innovation that benefits people, businesses and economic growth.”