It is nearly ten years ago that the MPs expenses scandal broke. The result was wholesale public distrust in MPs and the formation of a new regulator. This is the Independent Parliamentary Standards Authority (IPSA). The ISPA are in the news this week by failing to be transparent. 377 MPs have had their parliamentary credit cards blocked over issues with expenses claims. Commentators are suggesting that they are weak and have systems as bad as the ones before IPSA formation. What does this mean in the context of data protection enforcement?
As IPSA’s former Interim Operations Director, charged with the security of data, staff and facility, processing expenses and salary transactions, and making the new scheme operational, the actions of the regulator, this does not surprise me. Regulators are somewhat like swans, looking serene on the outside but great big flippers and paddles underneath working very hard pushing the body along.
Since then, I have worked for a second UK regulator, the Care Quality Commission (CQC), and they confirmed my thoughts. A lack of data protection enforcement does not mean a lack of investigation. A regulator politically cannot exist for long without “meaningful and tangible” enforcement to keep their political masters happy.
Unrest in the industry
There is currently unrest in the industry over the seeming inaction of the UK Data Protection regulator the ICO. Some perceptions are that GDPR is all smoke and mirrors, and the ICO is a toothless tiger, only interested in the big picture and headline grabbers (Facebook). As a result, organisations have become ambivalent in their investment in Data Protection.
Some organisations perceive their investment in Data Protection as either wasted or pointless, and they have better things to spend their limited resources on. The public sector is most prevalent in this from my experience of working directly with them.
Like IPSA, the ICO work very hard, investigations take time and money. Why would the ICO want to expose all the activity they are working on and blow the cases they have worked on for months?
What drives the Regulators?
This defence, however, can only last so long. as regulators are driven by:
- Politics – Whatever they say about independence, political interference always takes place. They are, after all, funded by the State. My experience tells me that the hotline to the DCMS is ‘luke-warm’ at the moment.
- Public opinion – Regulators love a big news story. They love a “big cheese” in a headline. However they will need to be 100% watertight with their case as they tend to have expensive lawyers that will blow the budget. So decisions making is often on cost and public interest.
- Low hanging fruit. Believe it or not, this does not mean big corporations. It means quick, no appeal enforcing. Appeals cost time and money – large corporations are better equipped to do so. Smaller organisations be warned – you are easy prey and snack food.
- Public sector – Public sector organisations are the easiest to hit with enforcement. They should know better. Often, they take the enforcement on the chin and come lightly without the need for cuffs. The fines are often ‘wooden dollars’. It makes a great news story and often costs someone his or her job. So be warned!
- Cost – Public sector bodies are under the cosh in terms of spending. The ICO needs to undertake a clear strategy based upon limited resources to develop a policy to deliver effective enforcement. GDPR is as accountability framework and how best to leverage that which is cost effective is the challenge for now.
Enforcement Action
The ICO is already behind most of the EU regulators in data protection enforcement action. We have already seen the ramping up of media about ICO enforcement, but once again GDPR enforcement news is light touch. The enforcement tends to be PECR or the 1998 Act.
Regulators risk stratify using understandable metrics such as public interest, deterrence, ability to secure enforcement, risks to data subjects, cost etc so within the ICO this exercise will have been undertaken and key areas are already being targeted. (Review list above for likely suspects).
We should not forget that Facebook and Cambridge Analytica sucked up vital ICO resources. However, this reason for perceived inaction can only last so long as the credibility of our regulator is on the line here. Whilst a “big fine” for a “big cheese” would make a great headline most of us want the enforcement to concentrate on those who look after our most vulnerable data often found in our health services, schools, colleges, universities, police services and workplaces.
The jury is out, keep attacking.
Nigel Gooding FERPI is Founder and Chief Data Protection Officer at the Data Privacy Advisory Service, Nigel is also the UK Chair of the European Risk Policy Institute.