The enforcement activities of the Information Commissioner’s Office (ICO) have increased over the past three years with a marked shift away from headline grabbing financial penalties in favour of more subtle and sophisticated enforcement tools.
According to PwC’s Privacy and Security Enforcement Tracker, the number of enforcement notices have quadrupled in the last two years alone while the number of businesses criminally prosecuted has risen significantly, from seven in 2013 to 18 in 2014.
Stewart Room, partner at PwC Legal and author of the report, said: “If you are a regulated entity, you cannot afford not to track and react to developments in enforcement cases. If you don’t understand what is happening on the ground you will fail to adjust your business operations to take account of current and emerging regulatory priorities. You will then be exposed to enforcement action, which can cause massive business disruption.”
The most frequently used tool of enforcement was ‘written undertakings’, whilst the number of financial penalties issued fell from 18 in 2013 to just 11 in 2014.
Jonathan Armstrong, partner at Cordery, told IT Security Guru that he agreed that this is a sign of a more focussed approach. He said: “The ICO has rightly prioritised the areas we care most about – loss of health data, data relating to criminal convictions, loss of data that could be used for identity theft and nuisance calls and scams. They have not always got it right – the failure to act over illegal parking ‘fines’ might be one example – but there’s a feeling that there is a strategy which is being followed.
“Also the ICO is not the only sheriff in town. As our research last year showed there are a significant number of criminal prosecutions for data protection offences too.”
A spokesperson for the ICO said that it has a range of powers to ensure compliance with the Data Protection Act and make sure organisations look after people’s information correctly.
“Our power to issue a monetary penalty of up to £500,000 is only considered in the most serious cases where we can clearly show that a data breach caused, or had the potential to cause, substantial damage and distress to the individuals affected,” they said.
“We are also able to serve enforcement notices, issue undertakings and agree improvements on an informal basis where there is no need for further regulatory action. Our criteria for serving monetary penalties has not changed since our ‘Monetary penalties guidance’ was last updated in January 2012.”
Room said: “What we are witnessing is the emergence of what will be one of the toughest regulatory environments for business. New EU data protection legislation, to be adopted in the next 12 months and fully implemented by 2018, will bring tougher sanctions that aim to make the ICO and his EU counterparts some of the most powerful business regulators in existence.”
