Back to more articles

The latest round of ICO action and why you should be interested

 Article added: 10/12/2018

For many, the actions of the Information Commissioners Office (ICO) are either boring or not relevant or so they think.

When I first started in business it was acceptable to get most of your ’industry information’ from fellow business contacts. Someone, somewhere was always deep into the rules and regulations and passing their knowledge into the food chain of information that we all tapped into. As the years have moved on so too has that process.

Nowadays, regulations are getting worse (or better depending on your viewpoint). So much so that successful business owners have to spend time reading and understanding the rules in order to keep the raft of regulators off their backs.

So what’s new?

Well here’s the interesting part that should concern every business owner, the ICO have been notably increasing their staffing levels from a reported 442 in 2016 to 537 at the beginning of 2018.

This increase has had an inevitable impact on the ICO’s ability to tackle Data Protection related issues that have previously gone untouched.

Ordinarily, the ICO would be visibly seen to focus their attention on what most of us would call the ’major rogues’, generally denoted by those companies who rank in the ICO’s top 20 complaints list each month.

Now, however, the ICO can be seen to be tackling the ’smaller’ Data Protection breakers and here’s where the warning lays.

Good business is.....

“Good business owners who want to market their services and want to still be in business in the future, spend time to keep up to date with legislation no matter how boring or complex it may seem.”

ICO fines companies for failing to renew Data Protection Registrations

At the end of November 2018, the ICO issued a number of fines to businesses who forgot to renew their Data Protection Registrations. They’ve never done that before.

In fact, such has been the lethargy that the ICO has tackled failure to renew a Data Protection Registration that court cases relying on the ICO to do just that have failed when the ICO’s attitude was more akin to “well if there’s no consumer harm and they’ve now registered, we don’t see that there’s any further action to take.” Such an attitude was undoubtedly borne out of the lack of resources for tackling what the ICO clearly saw as ’not a priority’.

However, try telling that to those businesses receiving the fines today.

It’s a historic moment in the ICO’s history to be tackling these kinds of issues and in particular this issue.

It doesn’t end there though.

Tougher action

The ICO had a recent case regarding data theft. Mustafa Kasim worked for Nationwide Accident Repair Services (NARS) and accessed thousands of consumer records. It doesn’t go into great detail behind the motivation of the theft but I’d assume it to be accident claims related, but that’s not important.

The important thing here is that the ICO would normally prosecute such cases like this under the Data Protection Act resulting in a fine and a criminal record, but this time they decided to apply Section 1 of the Computer Misuse Act 1990 which resulted in Mustafa getting a 6 month jail sentence.

You can bet your bottom dollar Mustafa didn’t see that coming!

The point to make here is that the regulators as a whole are being more creative, more intuitive and more determined to exert their own brand of justice and businesses on the receiving end of it will loudly attest to that I can assure you.

My advice to the ICO?

“With great power, comes great responsibility. Stay in the lines and keep the respect.”

Whilst I totally get the ICO’s decision on this case, I just wish they did a better job of making people aware of the consequences that employees might face in these circumstances. I’m sure every employer would welcome that. Prevention being better than cure and all that!


To bring things to a close, what you need to gleam from these recent events is that your interpretation of a ’small matter’ or ’not a big deal’ might well land you with a fine or possibly worse and that issue could raise it’s ugly head some 18 months later.

So make sure you’re doing all your basic due diligence checks and processes, because it surely can’t be long before a handful of complaints could see your business added to the list of those getting fined because you ’forgot’ to screen your data or you failed to understand the rules governing the use of data.

TPS Services Vince Costa-Barnett said:

“Spend the time, even if you don’t want to, to understand the rules about data, data sharing, data purchasing and data screening and cleansing before it’s too late.

It may be difficult, even boring, but if you plan on being in business five years from now then it’s unavoidably necessary!

Useful links relating to this article

If your business purchases or sells data then you should read the latest Direct Marketing Guidance issued by the ICO for a complete explanation of what the ICO expects from companies involved in or buying from the direct marketing industry.
Back to more articles