GDPR Compliance in the U.S.: What to Know
In 1992, Singapore banned the sale of all chewing gum. But if you...Read Now
The simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Don’t let data privacy compliance get in the way of growth
Preserve your competitive edge
Manage data privacy at scale
Expert insights on all things privacy
Subscribe and become a Privacy Insider
Research the most essential privacy topics
We'll scan your website for privacy risk at no cost
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
No fines, no penalties
Add Osano data privacy ratings and recommendations to your application
Fresh duds for data privacy fans
January 6, 2021
The Information Commissioner's office regulates privacy and data protection in the U.K.
The Information Commissioner’s Office might not be a pop-culture term, but it’s certainly well known to anyone following privacy and data protection. That’s because it’s the U.K.’s data protection authority, and changes in global and local laws in recent years have allowed it to take actions garnering headlines in local and global newspapers.
It’s also one of the most active data protection authorities, and it gained a bit of mainstream fame when its enforcement officers raided the offices of Cambridge Analytica, the infamous data analytics firm behind Facebook’s data breach in 2014. The pictures of the ICO team entering the London-based firm won’t soon be forgotten; The Guardian spread featured a shot of enforcement agents, back-to the camera, their company jackets bearing “ICO Enforcement” in bright white letters across the shoulders. It was like seeing the FBI invade a drug ring. In fact, agents searched the firm for seven hours straight.
It was an image that said to the world: the U.K ICO, led by Commissioner Elizabeth Denham, is serious about enforcement.
Despite the optics, ask the question generally among those informed, "Is the ICO the most effective data protection authority?" and you're bound to get a split vote.
That’s because “effective” is a relative term.
In the last year, the ICO has taken up 1,039 decision notices. Though the ICO has taken up enforcement actions against companies like Cambridge Analytica, U.K. Ticketmaster, British Airways and Marriott International, the general complaint from privacy advocates is typically that the ICO sticks to enforcing data breaches and isn’t as active in privacy enforcement more broadly.
To be fair, the ICO enforcement actions were big newsmakers. Under its mandate to enforce the EU General Data Protection Regulation, the data protection authority fined Ticketmaster £1.25 million for failing to protect customer payment data. More significantly, it fined British Airways £183 million and Marriott International £18.4 million for their respective data breaches.
But there are always going to be folks who disagree on enforcement actions. When the Federal Trade Commission settled with Facebook for $5 billion last year, half of the pundits would cite its record-breaking fine, and half would be quick to note that $5 billion is nothing to a tech giant like Facebook.
For those who can’t agree on whether the ICO is the most “effective” regulator, there’s likely more consensus over whether the ICO is one of the most active regulators. It issues guidance on how to follow data protection laws prolifically. Anyone following the topic will notice releases from the commissioner’s office almost weekly. Its 2019 guidance on deploying cookies under the GDPR was highly anticipated, for example, as cookies were increasingly facing scrutiny for controversy over the technology's legality once the GDPR came into force in 2018.
And no story about the U.K. would be complete without mentioning Brexit. The ICO has an important role guiding organizations through the transition period. The once free-flowing data allotment from member states to the U.K. will change. There was great fear that the U.K. would immediately be deemed "inadequate," a designation given to countries whose standards don't meet the high standard of the GDPR. But this week, a crises was averted when U.K. lawmakers signed a post-Brexit deal with the EU. It allows the European Commission to take an additional six months to evaluate the U.K.'s adequacy.
That’s important, because while the laws the ICO enforces, including the EU General Data Protection Regulation and the U.K. Data Protection Act, can be complicated, nuanced, and situation-specific. There’s no shortage of privacy professionals and corporate lawyers scrambling for answers on how regulators might view and then enforce various provisions of both laws.
Luckily for the ICO, it has a healthy team of more than 500. It's funded mainly by a provision in U.K. data protection law requiring organizations to pay a data protection fee. That accounts for 85 to 90 percent of the ICO’s budget. Additionally, the agency receives supplemental grants-in-aid from the U.K. government to fulfill freedom-of-information requests. In fiscal year 2019 to 2020, the ICO estimates it collected roughly £46,560,000 through the data protection fee and £4,626,000 from that supplemental income.
The ICO is a member of the European Data Protection Board, the group of EU data protection authorities charged with enforcing the EU GDPR. The board works together to try and harmonize enforcement across member states and also acts as a dispute resolution body in cases where a problem can't be resolved by a specific DPA.
While Brexit will surely shake up the regulatory stage slightly — the ICO will no longer take part in the European Data Protection Board as it leaves the EU — there's no indication the regulator has any plans to slow its role as a leader as an enforcer of data privacy and data protection law. And as the ICO generates headlines and issues fines, its global counterparts are incentivized to "keep up with the Joneses." And that's good news for data subjects everywhere.
Writer at Osano
Writer at Osano
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano makes it easy. Ready to get serious about data privacy? Choose your plan and get started. All plans come with a 30-day FREE trial!