Who are the ICO?
The Information Commissioner’s Office (ICO) is the UK’s independent body that upholds information rights in the public interest. It promotes openness by public bodies and data privacy for individuals. It was set up by the government in July 2016 in response to increasing concerns over how peoples personal data is used and managed by businesses and other organisations.
It has specific responsibilities set out in the Data Protection Act 1998; the Freedom of Information Act 2000; the Privacy and Electronic communications Regulations 2003; and the Environmental Information Regulations 2004. These were added to with the 2018 Data Protection Act, which came into force on 23 May 2018, and applies the European Union’s GDPR standards. If the UK leaves the European Union, the GDPR will be incorporated directly into domestic law.
The ICO has substantial powers. Up until May 2018, it could impose a monetary penalty on a data controller of up to £500,000 – and shortly after its creation in 2016, it fined TalkTalk £400,000. This was for a failure to protect customer data from a cyber attack, which saw nearly 157,000 customers have personal data stolen. This attack took advantage of a weakness of one of the company’s websites of which it was unaware. Although hacking in itself is a criminal offence, the ICO’s information commissioner, Elizabeth Denham, says that hacking is not an excuse for companies to abdicate their security obligations.
Now with the European GDPR standards in force, the ICO has even more power. It can now levy a fine of 4% of global turnover or €20 million, whichever is the greater.
Consumers can make a complaint direct to the ICO if they believe their data is being misused and the ICO is equipped to take swift and decisive action against companies. But the ICO does not exist to gain compensation for individuals and under Article 82 of the GDPR, which came into force on 23 May 2018, a data subject can claim compensation for any material or non-material damage. This means that there is no requirement to prove that loss has actually occurred and brings to light an very large number of potential claims, as data processing activities are construed in the widest sense possible and apply to almost any scenario where an organisation handles personal data.
Due to the autonomous and electronic nature of modern data processing activites (whether it be payroll, insurance calculations, credit decisions, and security updates, for example) incidents of a data breach or breach of the regulations are unlikely to be isolated. This has given rise to a new business stream for high-volume claims processors and solicitors, which is where National Data Compliance (NDC) comes in.
While the ICO rightly seeks to stop companies abusing personal data, National Data Compliance (NDC) plays an active role in achieving proper compensation for people who have had their personal data stolen, leaked or in any way misused by connecting them with legal firms that can administer their complaints and secure financial compensation.
