sdecoret - stock.adobe.com
The first year of EU’s General Data Protection Regulation (GDPR) and the UK’s GDPR-aligned Data Protection Act (DPA) 2018 saw people wake up to the potential of their personal data, according to the Information Commissioner’s Office (ICO).
“This led to greater awareness of data protection law, in particular the data rights of individuals, and greater awareness of the role of the regulator when these rights aren’t being respected,” the ICO said in its recent annual report for 2018-19.
Since 25 May 2018, the ICO has the power to impose a civil monetary penalty on a data controller of up to £17m (€20m) or 4% of global turnover. The maximum under the Data Protection Act 1998 was £500,000.
Publication of the ICO’s latest annual report comes in the same week as the ICO demonstrated its commitment to enforce the new data rules by announcing the first significant fines under the GDPR, with notifications of its intention to fine British Airways £183m and Marriott International £99m.
The report covers an “unprecedented year”, information commissioner Elizabeth Denham wrote in the foreword.
“The ICO has covered an enormous amount of ground over the past year – from the introduction of a new data protection law, to our calls to change the freedom of information law, from record-setting fines to a record number of people raising data protection concerns.
“The biggest moment of the year was the GDPR coming into force. This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected. The doubling of concerns raised with our office reflects that.”
In the 12 months to 31 March 2019, the report shows the number of complaints received by the ICO increased to 41,661, up from 21,019 from the previous year, while the ICO’s helpline, chat and written advice services received 471,224 contacts, an increase of 66%.
Denham notes that the GDPR has also brought in a “step change” in how organisations approach data protection. “It increased the onus on organisations to take a proactive approach to data protection, identifying what risks they were creating through their use of data, and working to reduce and mitigate those risks.
“The greater enforcement powers granted to regulators helped to establish compliance as a board-level issue,” she said.
The report shows that the ICO has increased public support through services such as the helpline and live text service, as well as help for organisations of all sizes to embed the GDPR and DPA 2018.
Other support work includes the preparation of statutory codes focusing on age appropriate design, data sharing, direct marketing, and data protection and journalism.
“Throughout the year, the ICO’s experienced and expert team worked incredibly hard to provide the support we knew organisations needed,” said Denham.
In terms of enforcement, the report said the ICO issued 11 assessment notices in conjunction with investigations into data analytics for political purposes, political parties, data brokers, credit reference agencies and others.
The ICO also took action through enforcement notices; issued warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance; and recorded a record-breaking year of monetary penalties under the DPA 1998.
Read more about the ICO
- The ICO has found that any police force or private organisation using live facial recognition technology is processing personal data and needs to pay attention to data protection laws.
- Former EU data protection supervisor Peter Hustinx joins the ICO as non-executive director, strengthening its commitment to international work.
- ICO and government help UK businesses prepare for no-deal Brexit.
- ICO strengthens commitment to technology and innovation.
The report shows that the ICO issued a record breaking number of 22 monetary penalties totalling more than £3m.
Other highlights include the launch in May 2017 of a formal investigation into the use of data analytics for political purposes, after allegations were made about the “invisible processing” of personal data and the micro-targeting of political adverts during the 2016 EU referendum. The report notes that the investigation has broadened to become the largest investigation of its type by any data protection authority.
Other investigations led by the ICO’s new High Priority Investigations and Intelligence Directorate covered a wide range of issues, including the use of mobile phone data extraction for policing purposes, concerns that police investigations into rape and serious sexual offences resulted in breaches to the complainants’ right to privacy, and the use of live facial recognition (LFR) technology.
According to the investigation’s preliminary findings, LFR technology that can scan crowds and then check large databases for matches in seconds can be regarded as processing personal data, and any police and private organisations using it should adhere to ICO data protection guidelines.
An unprecedented year, covering so much ground, said Denham, requires an efficient and effective Information Commissioner’s Office. “We have grown in size, capability and ambition over the past year, our workforce grew from 505 to more than 700, with particular increases in the parts of the organisation handling data protection complaints and customer contact,” she said.
Denham said the ICO has also increased its ability to deal with more complex areas, with a Technology Strategy supported by a new executive directorate for technology policy and innovation.
In further comments on the GDPR, the information commissioner said it has so far demonstrated that it is a law that can work alongside emerging technologies and creative approaches.
“There’s no dichotomy between digital innovation and data protection. But progress relies on consumers trusting organisations with their data, and organisations stand at the front line on this,” she said.