The Information Commissioner's Office (ICO) dealt with a record number of data protection incidents last year. In terms of news value, the ICO report may have been eclipsed by the recent global ransomware cyber-attack, but the ICO says it received the highest ever number of self-reported data protection concerns from individuals.
Most concerns were about subject access requests especially in the health, local government and business sectors. The types of incidents that generated the most reports to the ICO by individuals were subject access request failures, data posted or faxed to the wrong recipient, theft or loss of paperwork, cyber incidents and data sent by email to the wrong recipient. Happily, for the data controllers, most ICO investigations resulted in no action taken.
The 2016/17 year also saw the ICO issue more monetary penalties for unlawful marketing activities than before – totalling £1.923 million. Half of complaints for breaches of PECR (Privacy and Electronic Communications Regulation) were for automated calls https://ico.org.uk/about-the-ico/our-information/annual-operational-reports-201617/
The ICO says it has improved and sped up the way it deals with complaints, no doubt mindful that when the GDPR comes into effect next May, consumers will have more (and more easily exercised) data protection rights, and the regulator will have much larger fines at its disposal to deal with offenders. We can also anticipate that the increased focus on transparency under GDPR will result in a broader spectrum of causes for complaint. At the moment, consumers simply don't understand what organisations are doing with their data (and so they aren't in a position to be able to challenge organisations on their data practices or complain to the regulator about it). One of the key purposes of GDPR is to put control back into the hands of individual data subjects – it will be interesting to see how that control is exercised.
Written by Jo Vale.
For more information please contact our editorial and regulatory media team.