ICO to publish names of organisations it investigates

The question

How effective will the Information Commissioner’s Office’s (ICO) new approach to transparency be in driving compliance with UK data regulation?

The key takeaway

The UK’s data protection authority, the ICO has started publicising data sets and naming organisations that have been subject to reprimands, complaints and concerns. Given the growing importance of consumer trust in any organisation’s use of personal data, the threat of publicity may prove to be a strong weapon in the ICO’s armoury in improving levels of data compliance.

The background

Previously the ICO had ensured that its dealings with organisations were kept confidential, which helped to  facilitate early and open reporting. In a shake-up to current operations, the ICO’s Communicating Regulatory and Enforcement Activity Policy has stated that it will now publish any reprimands, complaints or concerns issued to an organisation if it “will help promote good practice” or “deter non-compliance”. Currently similar data is not usually published by EU data protection authorities, which suggests that organisations regulated by the ICO will face additional challenges in comparison. In an attempt to increase the levels of good practice, the ICO hopes this revised approach will also reduce its workload following pending data protection reforms.

The development

The information which the ICO is now publicising covers the following:

• Reprimands: Rather than imposing a fine for non-compliance with data protection law, the ICO may issue an organisation with a letter stating that it believes that the relevant organisation has exhibited non-compliant behaviour, providing a list of reasons and any suggested actions. Reprimands are used in cases in which the infringement is not serious enough to justify a fine or a specific action. The ICO will now publish all reprimands, including those issued from January 2022 onwards to encourage good practice among public and private organisations. However, the ICO reserves the right to not publish a reprimand for matters which could affect national security or other ongoing investigations.
• Complaints and concerns: The ICO is also now publishing data sets on complaints and concerns which includes a variety of information such as civil and cyber investigations, self-reported personal data breaches and data protection complaints raised by members of the public. The data is published in a reusable format, and although it contains considerably less detail than reprimands, it does include the names of organisations even where no infringement has been found. This is likely to be useful for the purposes of due diligence, allowing other companies to get a clearer idea of the level of dispute frequency associated with each organisation.

Why is this important?

UK organisations will no longer be afforded the levels of anonymity they had previously enjoyed. The ICO’s stringent approach to transparency may become a cause for concern, particularly amongst organisations that carry large amounts of consumer data where breaches are more likely.

Any practical tips?

Negative publicity is a powerful regulatory tool. Indeed, it is the primary enforcement stick used by many regulators, such as the Advertising Standards Authority. If the ICO starts wielding this stick effectively, thereby raising public awareness of those organisations who are not fully engaging with data regulatory compliance, this will be a further item to take very seriously on the data risk list.

Spring 2023