They say a week is a long time in politics; at the Information Commissioner’s Office every week must have seemed like a year during the past 12 months.
The “in-tray” has been piled high: so far the ICO has carried out raids on rogue call centres; paved the way for the new nuisance calls legislation, dishing out £250,000 in fines in one week alone; investigated the charity sector; looked into CCTV; dealt with the fall-out from the Safe Harbour ruling; tackled third-party consent; probed with the TalkTalk breach; appeared in front of numerous Parliamentary committees; and initiated a structural shake-up as it prepares for life after Christopher Graham and his two senior executives, David Smith and Graham Smith.
And with the EU General Data Protection Regulation all but complete, next year is hardly going to be a breeze.
As Graham said when the search for his successor kicked off earlier this month: “The next Information Commissioner will take the helm at an exciting time for information rights. Growing public concerns about privacy and public demand for transparency, combined with the upcoming EU data protection regulation and potential challenges to FOIA, mean that a fascinating and rewarding job just got even bigger and better.”
Of course, for the legitimate direct marketing industry, the ICO’s work is crucial in weeding out the bad boys, but of course it is powerless to when it comes to preventing data breaches, which have been virtually daily occurrences this year.
With that in mind, the new EU data protection rules will be a massive wake-up call to any company which holds customer data. While the direct marketing industry is patting itself on the back, the mandatory breach notification requirements are likely to make concerns over consent for marketing data seem like a small sideshow.
Under the changes, fines for non-compliance could be as high as €100m (£70m) or up to 4% of a company’s annual global turnover.
However, if the new rules had already been in place when TalkTalk was hacked in October, it could be facing a fine of nearly £72m, based on its turnover of £1.8bn. That is in addition to the £35m in one-off costs, it has already set aside, and the cost of any resultant legal action from customers.
As Christopher Graham told MPs last month: “The TalkTalk breach is wake-up call. Everyone has to accept that hackers are testing and testing and testing. It’s a council of defeat to say you can never be secure. You can be more secure than you were last year and you probably have to be. This has been a wake up call to everybody; you simply have to put in place the most effective systems that you can and make sure customer information that has been entrusted to companies is as safe as it can be.
“The more effective wake-up call to companies is looking at what this does to the brand and looking at what it does to their business.”
No-one can say they haven’t been warned…
Related stories
Firms must wake up to EU data breach rules – or else
Data security spend never high enough, MPs told
Claims firm battered by £850,000 cold call fine
Watchdog takes chunk £170,000 out of TPS fakers
PPI firm is first scalp in major ICO data assault
1,000 firms probed as ICO goes to war on rogue data
Brands and agencies face mega fines for dodgy data
ICO uses new powers to fine lead-gen firm £200k
TPS overhauls service to attract mobile complaints
DecisionMarketing hails victory in rogue call battle
2am break-in threat calls spark uproar
ICO slams the merchants of menace
Why isn’t it much easier to complain?
ICO nuisance call challenge laid bare
Whitaker challenges DM to clean up
Reactiv woe as High Court ups fine
Top brands ‘making nuisance calls’
ICO raids Hove nuisance call hide-out