Who enforces the Data Protection Act?
The Information Commissioner's Office (ICO) is an executive public body, used to enforce and regulate the Data Protection Act (DPA), as well as to uphold information rights. The ICO provide advisory guidelines for organisations, to aid the transition needed to comply with the DPA 2018. Moreover, the ICO is responsible for determining and administering the repercussions an organisation will face if they breach the DPA. The penalties that an organisation will face are not mutually exclusive, the ICO will administer the appropriate penalties when necessary, therefore it is essential to remain up- to- date with ICO guidelines.
The ICO'S role in data protection:
The ICO is not only utilised to warrant the repercussions of an organisation's lack of compliance with the DPA, the ICO does offer guidelines and advice to help organisations to comply with the DPA. An organisation that processes personal or sensitive data is required to register with the ICO. The ICO then has the relevant information of all data controllers in the UK, including their names, addresses and the type of processing carried out by the organisation. These organisations then have access to the ICO's guidelines and advice, needed to ensure the DPA has been implemented correctly.
Consequently, the ICO's budget for 2018, following the new DPA legislation, has increased to £34 million, from £24 million previously. This increased budget is needed to fund the increased number of case officers, information commissioners, enforcement officers and advisers.
The need for more employees within the ICO is in response to the larger scope of data regulations implemented in 2018, which the ICO needs to enforce. The new regulations demand that organisations must report a data breach within 72 hours, therefore the ICO is expecting more data breach reports than it experienced under the previous DPA.
ICO penalties for breaching the DPA:
The ICO will conduct audits to examine an organisation's compliance with the DPA, if the organisation is found guilty of breaching the DPA, then the ICO is liable to enact the discretionary fines at their disposal.
The ICO imposes administrative fines upon organisations in relation to their specific case, the highest tier of fine which an organisation could face for breaching the DPA is either 4% of an organisation's annual global turnover, or 20 million euros, whichever is the highest. The ICO is accountable for issuing these penalties, therefore the ICO must ensure that if they do issue an administrative fine, it must be effective, proportionate and dissuasive.
In January 2018 the ICO were confronted with the data breach of Carphone Warehouse, the British mobile phone retailer, which had taken place in 2015. Carphone Warehouse had experienced a series of systematic failures which enabled its data breach to occur in 2015. The ICO stated that the data security arrangements which Carphone Warehouse had put into place were concerning and did not even comply to basic security measures. Information Commissioner Elizabeth Denham stated that a company as large and as established as Carphone Warehouse, should not have had 11 separate issues which undermined its data protection policy.
Carphone Warehouse's inadequate data protection and security practices allowed the data breach to occur, in which 3 million customers and 1,000 employees had their personal data compromised by cyber hackers, this personal data included the credit card details of customers. The ICO were forced to administer financial repercussions for this inadequate handling of data by such large company, and therefore Carphone Warehouse were subject to a £400,000 fine.
TalkTalk also fell victim to a £400,000 fine from the ICO in 2016 for a cyber-attack was able to compromise the personal data of customers with relative ease, due to TalkTalk's lacking data security. These huge fines issued by the ICO highlight how imperative it is for an organisation to maintain a strong and secure data security policy.
Therefore, knowledge and training to uphold organisational compliance to the DPA is fundamental to an organisations success, and essential to avoiding harsh repercussions from the ICO.