Information commissioner John Edwards has defended his new strategy for enforcing the UK GDPR with public sector bodies, using reprimands rather than fines. The Commissioner stated that fines to public bodies created a “money go-round” where funds were being moved between government organisations. Also, unlike in the private sector, fines do not come out of shareholder pockets or profits but come directly out of funds that are used to deliver services to the public. Citing an example where a fine was to be issued to an NHS Trust, he argued that this loss of funds would harm the quality of care provided to patients and thus further punishing victims whose rights the ICO should uphold.
Although fines have been put on hold, the ICO will continue to monitor the public sector, and having a robust compliance programme is as important as ever, as data breaches have multiple, hidden costs. The article outlines these as well as some simple measures for organisations to enhance their compliance programme, which allow them to identify any gaps and risks before they result in data breaches.
According to Edwards, issuing fines to public sector organisations is ineffective based on previous cases that demonstrate little evidence to support the idea that fines lead to better compliance and overall outcomes. Therefore, in the next two years, the ICO will rely more on issuing reprimands, which will be made public (along with the value of the fine that would have been issued), as well as enforcement notices to public sector organisations. Regarding investigations into data breaches, the ICO will continue to undertake these in the same manner as before and follow up with organisations to ensure improvements are made. The ICO will also continue to work with public sector organisations on advice and guidance regarding the safe processing of personal data. There are also no changes to the ICO approach when it comes to private organisations, where fines will still be issued as usual.
Edwards rejected the idea that the ICO was “going easy” on government organisations. In turn, he expects a higher level of engagement from public sector senior leaders ensuring that investment of time and resources in compliance work be fit for the future. He also stressed that this was a two-year trial, and if no improvements are detectable, then this decision will be re-evaluated.
Importance of robust compliance mechanisms
The ICO’s stance demonstrates that irrespective of fines, strong data protection measures should always be a focus when organisations process personal data. The right to privacy is a fundamental human right and all organisations who work with data should take the necessary steps to protect data subjects. Data breaches can cause individuals various harms, ranging from emotional stress and inconvenience to financial losses. Public sector organisations that hold sensitive data and/or data of children, should always take special measures to protect such data.
In addition to human rights violations, data breaches can also result in reputational damage, which is similarly difficult to measure. ICO reprimands will from here on be published, “unless there is a good reason not to”, which can have severe consequences for organisations, especially who are found to repeatedly demonstrate a lack of protection for personal data. Reputational damage can be multifaceted, and can involve loss of user trust, resulting in a high increase in Data Subject Access Requests taking up time and human resources, which may already be stretched. Organisational breaches which may result in news headlines for an extended period, also risk a higher number of complaints and litigation action from data subjects.
To ensure data protection compliance to avoid the above consequences from data breaches, organisations could take measures like:
- Data protection audits/gap analysis to identify gaps in compliance.
- Data protection training and awareness raising for staff, using multiple approaches to reach different audiences and staff with differing responsibilities when it comes to processing personal data.
- Ensuring that policies and procedures are in place and are reviewed and updated at regular intervals.
- Using a data protection by design and default approach for all projects, using tools like Data Protection Impact Assessments and Risk Assessment to ensure that protection and safeguarding of personal data is built in from the start.
The above approaches, to name a few, are effective at monitoring the data protection compliance across an organisation. They assist with identifying risk and closing any gaps that may remain in the organisation’s current approach. These are all low cost, high impact approaches, which, once in place and implemented, are easy to maintain and assist with protecting personal data to limit the risk of data breaches and incidents.
Trilateral Research’s Data Protection and Cyber-risk Team can help your organisation create a data protection and cybersecurity strategy and identify your priorities for 2023. Furthermore, our interdisciplinary team of legal, technical, compliance and risk management experts can also help you to identify and close any gaps in your compliance programme. We can also provide training for your staff, to suit your organisation’s focus and ambitions. For more information or to talk to one of our advisors, please contact us.