Government orders major audit of the ICO's operations

The Government has parachuted in a global management consultancy to run a major audit of the Information Commissioner’s Office, following claims that the regulator does not have the clout to take on the tech giants and is not fit for purpose.

The move was one of the key recommendations of last year’s report from the Parliamentary Joint Committee on Human Rights, which went under the convoluted title of The Right to Privacy (Article 8) and the Digital Revolution (Third Report of Session 2019).

The report quoted a submission from The Law Society of Scotland, which pointed out that the ICO does not actively police the conduct of companies, it only investigates when a breach has occurred or where concerns have been raised.

It added: “Enforcement may increasingly require the regulator to be able to develop their own technology and have teams able to understand technological developments if abuses are to be identified and effectively prosecuted.”

The Parliamentary report also detailed how the resources of the ICO are dwarfed by the companies that it is expected to regulate. In 2018, the ICO had a budget of just over £40m. In comparison, Google UK’s 2018 revenue totalled £1.4bn.

It concluded: “The GDPR should offer a substantial level of protection for people’s personal data, but this does not seem to have materialised in practice. The Government should review whether there are adequate measures in place to enforce the GDPR and Data Protection Act in relation to how Internet companies are using personal data, including consideration of whether the ICO has the resources necessary to act as an effective regulator.”

Now, consultancy Oliver Wyman – which has worked both in the private and public sector and specialises in strategies, operations, risk management, and organisational transformation – will carry out an audit of the ICO’s operations.

The Department for Digital, Culture, Media & Sport (DCMS), which is in charge of the ICO confirmed the appointment but declined to comment, while the ICO insisted the audit was part of a routine, planned review.

The timing, however, could not be worse for Information Commissioner Elizabeth Denham (pictured), having this week faced a double whammy of criticism for pausing the investigation into real-time bidding as well as the new delay to proposed GDPR fines for British Airways and Marriott International.

One data industry source said: “This is not about budgets and power, the Denham’s office already has those in abundance. The ICO admits adtech is a mess, yet fails to act. It claims BA and Marriott were serious breaches but they seem to be wriggling off the hook too. The regulator seems more keen to spout on about data ethics than actually take any enforcement action.”

Meanwhile, Brave chief policy officer Johnny Ryan – one of the most vocal critics of the ICO’s inaction against the tech giants – says the ICO appears unwilling or unable to discharge its responsibilities.

He added: “The ICO’s senior management has not configured the organisation to tackle digital privacy. Consider the budgetary and staffing issues. Although the ICO is by far the most expensive data protection authority to run – costing more than three times its counterparts in France or Spain – and though its budget doubled from 2018 to 2020 to £50m, it has fewer specialist tech investigators than its French or Spanish counterparts.

“Of the ICO’s 680 staff, only 3% (22, including 1 vacant position) are tech specialists. Of these 22 people, only 8 (plus one vacancy) work in the ‘Cyber incident response & investigation unit’. The remaining 13 work in various policy roles. So this suggests that of the ICO’s 680 tech specialists, only 8 are actually investigators. In other words, of the ICO’s 680 staff, only 1% appear to actually work on checking what tech firms do with people’s data.”

When it comes to the ICO’s recent announcement that it was pausing its investigation into real-time bidding (RTB), Ryan said: “It is unclear to me what the ICO has actually paused, since it has not actually taken any statutory action to investigate RTB. More than two years since I first blew the whistle to the ICO, and almost two years since our formal GDPR complaints, the ICO has failed to use any of its investigatory or enforcement powers to end the biggest data breach that UK citizens have ever experienced.”