The ICO recently announced “subtle but significant” changes in its approach to data protection complaints about businesses made by the public. Consumer facing brands will want to stay on the right side of the law anyway – what will the changes mean in practice, and when does a business run the risk of enforcement action?
The ICO has launched a Consultation entitled ‘our new approach to data protection concerns’, running from 18 December 2013 to 31 January 2014, seeking to collect the views of ICO regulated organisations. The proposed changes are planned to take effect from 1 April 2014.
Why is the ICO’s approach changing?
The ICO received 40,000 written enquiries or complaints, and 214,000 phone calls in 2012/13 from members of the public. In only 35% of these instances, had data protection legislation actually been breached. The ICO is therefore encouraging individuals to address their concerns to the organisation complained about. The approach to data protection concerns is therefore being streamlined, in a bid to allow the regulatory body to focus on serious contraventions, and repeat offenders who breach the legislation.
When will the ICO take action in response to a complaint?
Businesses still need to take care. Once an individual has raised a complaint with the organisation, if they are not satisfied with the outcome, they may still send their complaint, and the organisation’s response, to the ICO. The ICO will keep a record of complaints in order to identify and take action against patterns that emerge. If the organisation complained of is a repeat offender, or it is a serious breach, enforcement action will still be taken.
What does this mean for responsible brands?
This is therefore good news for compliant organisations, with existing systems in place to respond to queries and resolve complaints, as not much will have to change. In addition, any positive initiative or strategy used by an organisation may be published on the ICO website.
However, this does not mean that businesses can be blasé. Subject access requests and data protection complaints are often a symptom of wider customer dissatisfaction. It must not be forgotten that in today’s world, enforcement comes not only in the form of the ICO, but in the reputational damage caused to brands by individuals complaining through social media. In some instances, this could be more far reaching than some enforcement action by the ICO. Reputational damage will be further cemented, with the ICO publishing the number of breaches by an organisation on their website.
Organisations with an opinion on this matter have until 31 January to respond to the ICO’s consultation. Following the consultation, the ICO’s new approach will take effect on 1 April 2014.
Recap on UK enforcement powers and enforcement policy
Even though the changes to complaint handling may not be big news for the majority of companies, it may be helpful to recap on the circumstances when the risk of enforcement could arise. The ICO has no powers to award compensation to the public, but can take a range of enforcement actions against organisations.
Details of ICO enforcement can be found here, and Datonomy has previously highlighted the changes to their policy last year. According to the ICO, they have served over 5000 decision notices since 2005, and published 27 undertakings in 2013. They may also impose fines of up to £500,000 in the most serious cases, to act as ‘both a sanction and a deterrent’ (according to their enforcement policy).
In order to impose a monetary penalty, the ICO must be satisfied that:
- there has been a serious contravention of section 4(4) of the Act by the organisation,
- of a kind likely to cause substantial damage or substantial distress, (i.e. one of the data protection principles) and is either,
- which is deliberate or,
- the organisation knew or ought to have known that there was a risk that the contravention would occur, i.e. reckless, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
The ICO enforcement policy can be found here. It details that although sometimes action is taken as a result of a complaint of an individual, the initial drivers also include issues of general public concern, concerns of a novel or intrusive nature, or concerns which become apparent through the ICO’s other activities. It also details criteria for when they are likely to take action. These factors include:
- the scale of detriment to an individual the breach is likely to have,
- the number of individuals adversely affected,
- whether enforcement action could stop an ongoing adverse impact, and
- whether the attitude and conduct of the organisation in question suggests a deliberate, willful or cavalier approach to data protection issues,
As indicated by the enforcement section of their website, the ICO are transparent in their enforcement action, in line with their first Guiding Principle in their enforcement policy. Therefore, the threat is not only a potential pecuniary penalty, but in some cases more crucially, reputational damage to a company. In addition to the enforcement notices and undertakings detailed above, the ICO will further ‘name and shame’ organisations with poor data protection practices, by publishing the number of complaints made about an organisation.
The wider context
Larger fines are on the horizon. New EU privacy laws, which have now been delayed, could enable data protection authorities to fine companies the greater of €100 million or two/or even five per cent of global revenue.
With the new approach to complaints to data subjects, far from loosening its grip on data protection enforcement, the ICO is simply targeting its action on breaches by bigger players. The moral of the story? To ensure your organisation has good data protection and information rights practices, and keep your customers happy.