The Information Commissioners Office (ICO) is responsible for the enforcement of the GDPR in the UK. Here we consider three things we can conclude from an email response they sent this week regarding the way the ICO is currently operating and how it will be funded in the future.
In case you didn’t know, the ICO was appointed the UK regulator for data privacy and has a range of responsibilities to fulfil. These include policy guidance, service delivery and importantly, enforcement in addition to its international responsibilities. Many selling GDPR services have been focused on this last one for obvious reasons.
ICO Fines – Don’t believe the FUD
Believe the FUD and businesses will be faced with crippling fines of up to E20 million or 4% of turnover when the GDPR is enforced from May 25th 2018. The NCC recently carried out an analysis (insert scepticism here) that if in 2016 the ICO fined organisations using the GDPR fine structure it could have fined organisations that were investigated £69 million instead of the £880,000 they did fine under the DPA. Also, let’s not forget fines relating to flouting the PECR. They nearly hit £2 million last year. Yikes.
ICO Registration Funding
However, it is worth remembering that according to the ICOs accounts the bulk funding source (£22.5 million and change) is currently made up of the small registration fee. This is £35 for most small businesses and £500 for the large ones with a few exceptions thrown in for good measure. This is applied to almost all businesses that hold personal data. Which is just about every organisation.
Now hands up. Who has never registered and paid the fee? It doesn’t take a genius to quickly work out that that a huge majority of businesses have never bothered. Naughty.
Around June time some were wondering if businesses still needed to register with the ICO when the GDPR takes over. So, I thought I would ask the question. Instead of making another phone call to the ICO I wanted to see how they were coping with emails. I sent them an email on June 19th.
ICO Funding Changes
On Saturday 5th August I got a reply. Someone is working overtime. Now this is mildly amusing because in the meantime Elizabeth Denham issued the ICO annual report which negated to a degree any need for a reply.
This has been the first year in the job and the main theme of the report suggests she has her work cut out. Page 45 shows a brief risk assessment of the challenges the ICO faces including this statement of intent:
“introducing a new robust fee system to finance data protection work”
The issue facing the ICO and the need for this new system is explained a little further on:
The Government’s impact assessment suggests the additional work has the potential, in the long term, to require up to a 70% increase in the office’s budget for data protection work. From 2018-19 a new data protection fee structure will allow the ICO to better match fee income to the cost of regulation. And the ICO fully anticipates finding the balance by effective management of the notification fee process and of expenditure during the year.
Now this should be ringing alarm bells by now. The judge, jury and executioner of fines are in a financial hole that needs sorting out. For some this has echo’s of how the HSE operates. We shouldn’t forget that a legal appeals route is available to those fined, however, it should also be noted that the ICO successfully defends 75% of all appeals.
ICO Funding Clarification
Back to the email then. In the last few weeks has the ICO and DCMS got to grips with how this structure will look? I mean, we’re now 9 months away from the GDPR surely they must have some plans on how the organisation will operate from 2019 by now?
Er……well judge for yourself:
The way the ICO is funded is determined by the Government. The ICO’s data protection work has been funded for many years through annual fees paid by those who process personal information and have to register with us under the DPA. When the DPA is replaced by the GDPR in 2018, a new way of funding the ICO will need to be introduced. The ICO is working on future funding models with the DCMS. Any proposals will take into account the general better regulation principles which suggest that regulators should use full cost recovery as a basis for their funding. One option being considered therefore is to introduce a similar funding model to the present arrangement, maintaining an annual fee for those who process personal information.
So the annual fee you have largely been ignoring may remain and the rest will be made up from fines. UPDATE: As confirmed below the registration to process will now go but be replaced by something currently unknown.
Three COnclusions we can make
What can we learn then? I suggest three conclusions:
1) The ICO has 448 full-time equivalent staff and from my email and phone call experience with them, they cannot cope. They have said they will be launching a GDPR awareness campaign (for those living under rocks I presume) in January. My suggestion would be that the until the money really starts rolling in we cannot expect a huge amount from the ICO. The poor staff who must be under a great deal of pressure.
2) Although the funding of the ICO still hasn’t been decided yet it is clear they are going to need a great deal of additional money to operate. If they want to operate effectively then they will need even more. Always follow the money. My suggestion would be that if you haven’t already learn why the ICO fines companies. The fine regime may change but the rationale for fine structure is unlikely to. The ICO guidance is here (you want page 15 onwards) UPDATE: This isn’t claiming they will keep fines but they may well operate in a similar way to the HSE as an example.
3) Don’t assume that just because you haven’t registered with the ICO and coughed up £35 under the DPA you will be able to ignore any new scheme. It wouldn’t take a genius to take the companies house register and compare it to the ICO registration register. In addition, it is worth remembering that under the GDPR the ICO is just one factor. Article 79 opens the door to data subjects having powers to win damages. If they do then the ICO is likely to be involved. If you haven’t even registered then what will that say about the rest of your compliance framework?
I don’t want to bleat on about potential fines because I don’t believe anyone will receive the full 4% fine. In my mind the benefits of “doing the right thing” with data should be compelling enough without the ICO stick. What’s pretty clear, is that you will run a larger risk if you ignore GDPR like many did with the DPA.
UPDATE – Today the DCMS has launched its Statement of Intent for the Digital Data Protection Bill. In it they have confirmed:
The GDPR abolishes the current system requiring data controllers to notify the supervisory authority of their processing of personal data