Post-GDPR: The Changing Face of The ICO
A number of issues are now being tackled by the Information Commissioner’s Office (ICO), including the use of facial recognition technology and data analytics.
Speaking at DIGIT’s second annual GDPR Summit this week, Ken Macdonald, Head of ICO Regions outlined the changing face of the data landscape both in Scotland and the UK as a whole.
The event, which saw more than 300 delegates in attendance, contextualised the rapidly-changing data environment in the wake of GDPR implementation earlier this year.
Macdonald said that, while the sweeping regulations have proved troublesome for smaller businesses initially, overall the impact of GDPR has been positive; increasing transparency and formulating a strong system through which data privacy can be stringently protected.
The ICO, he remarked, has benefited and learned from this, both in the run-up to GDPR implementation and afterwards.
The regulator has undergone significant expansion in the past 18 months, with additional staff and structures put in place to ensure the effectiveness of the organisation. GDPR, Macdonald noted, played a key role in prompting this expansion.
“In the ICO, we had our busiest period ever in the run-up to GDPR implementation,” he said. “We had to increase our phone helplines 300% as we moved closer to the deadline.
“We’ve been steadily increasing our staff levels as well. When I joined some 13 years ago, we had around 270 to 280 staff. At this point, we’re now hitting 700 staff and we still have more recruitment to come.”
This expansion by the ICO comes not only from a need to enforce compliance by organisations and companies across the UK but also to ensure that the ICO can act swiftly and effectively, Macdonald said.
“What we want to do is respond swiftly and effectively and that’s part of the reason our staff numbers have grown,” Macdonald explained. “Our enforcement teams have grown as well and we’ve revised the structures within the organisation – bringing on a new layer of directors focusing on a number of functions.”
The ICO’s role, however, is more than just about enforcement of policy. Macdonald highlighted the work the organisation does in regards to changing the culture within organisations and firms around the country.
Through effective advice and cooperation, the ICO hopes to ensure that future breaches can be prevented by learning from mistakes.
“We’ve got to be effective. There’s no point in us being a regulator if we don’t manage to change practices in organisations. Not just organisations we’re taking action against, but in others that can learn from the mistakes of others.”
Macdonald outlined a number of powers the ICO can now utilise to enforce data compliance, including enforcement orders, audits and fines. While some of these have been traditionally used by the regulator, with the advent of GDPR the weight behind the ICO is now far more substantial, he noted.
The ICO also plans to release a standard code of practice from which organisations can set the benchmark for their data practices.
While data breaches and high-profile scandals have permeated the airwaves in the last 18 months, Macdonald offered a detailed insight into the investigations underway at the ICO into the use of data analytics in politics.
“The big thing we’ve been doing recently in regulation is the investigation into data analytics,” he said. “These issues have hit the headlines for a number of reasons but, most importantly, for the possible impact on the Brexit referendum and subsequent elections.
“It’s the largest investigation we’ve done and it’s covered a whole range of players in the field. Social media, analytics firms, academic institutions and political parties are all being investigated,” he added.
These investigations, while highlighting the proactive nature of the organisation, have led to criticism of the regulator.
Macdonald acknowledged that the maximum penalty the ICO can hand down to a company – £500,000 – does appear small when one considers the size of the companies on the receiving end. Facebook, in particular, he said, was an issue where the ICO drew criticism.
“In fact, just last week our commissioner, Elizabeth Denham, was speaking to an international committee and politicians were lambasting us for the fine.”
This restriction is due to the era in which the incident occurred, he explained. While new legislation grants tougher powers to regulators across Europe, they must consider the time in which misuse or negligence occurred.
In the coming months and years, he said, we will begin to see the full extent of GDPR legislation being used in instances such as these – with maximum fines of twenty million euros or 10% of an organisations yearly revenue, the stakes are raised for companies with blasé practices.
Other social issues have caught the attention of the ICO, Macdonald told the audience. In particular, the use of facial recognition technology by police forces in the UK.
Often criticised for being highly intrusive, a number of civil liberty groups have been vocal over the use of this tech. This is an issue the ICO is monitoring extensively now.
Macdonald said: “One of the big things at the moment is the use of facial recognition technology by a couple of forces down south, including the Metropolitan police force and South Wales Police.
“This is something we need to get involved in, and have a dialogue with other forces. We need to ensure that, if forces are using this technology, then they’re doing so in a responsible and legal manner.”