Fee and fine structure
Is it just me, or should the fine for the largest companies be 29,000 instead of 4,000? For smaller companies the fine is ten times the fee, for the largest less than 1.5 times. This does not compute.
More than a hundred firms have been fined for failing to pay fees that the UK's overstretched data protection watchdog needs to feather its nest. Since May, data controllers – orgs that define how and why personal data is processed – have been required to pay higher fees to the Information Commissioner's Office. If they don’t …
So a retirement job for ex Mi6 bods?
On a serious note, if they aren't bothering to pay the registration fees how about a sudden audit to make sure they aren't skimping on anything else data related. Make the audit cost a fine so bigger and/or sloppier outfits get hit in proportion.
I 'm suspecting that a high number of these are because people simply didn't know they needed to, thinking that GDPR removed the need to do so.
However a new bit of regulation "Data Protection (Charges and Information) Regulations 2018" created a new fee to replace the one lost by the superseeding Data Protection Act 1998.
Yes: those that don't pay should be fined but the real problems are:
* web sites that pre-tick consent boxes to receive junk mail, etc
* shops/... that demand personal information that is not needed to complete the purchase, eg: a theatre recently refused to sell me tickets that I was buying in person unless I gave an address; shops that insist on an email address; ...
* organisations that share personal information when they should not
* web sites that send spam in spite of the 'want spam' check box being unticked
Little point in making a complaint about these to the ICO, they won't do anything.
Have you actually tried making a complaint to the ICO? I did once about an estate agent who wouldn't stop contacting me. They were very helpful and I never heard from the estate agent again.
As long as no one complains because they assume nothing will change then guess what, nothing will change!
> Have you actually tried making a complaint to the ICO?
Yes. I was affected by the Experian data breach and sent a fairly extensive (and polite) missive requesting what enforcement action would be taken against them. Buggers couldn't be bothered to respond.
So I will concur with the previous poster who claimed they were of little use.
The Experian data breach affected 15M UK individuals. Did you expect the ICO to respond to each of them personally? Did you really think your 'extensive' missive was telling them anything they didn't already know?
While it might have been polite to at least acknowledge your message the ICO's response to the breach has been very well publicised.
> The Experian data breach affected 15M UK individuals. Did you expect the ICO to respond to each of them personally?
Don't be absurd.
> Did you really think your 'extensive' missive was telling them anything they didn't already know?
I pointed out a few cases where neither their guidance nor the letters from Experian missed important points. I'm nowhere near exceptional enough that this would only have affected me, but presumably a decent proportion of the 15M who had been hit. Points that at least could have been addressed via a website update, hardly an onerous exercise.
The possibility remains that the ICO were too busy investigating Experian to respond, which would be fair enough. Except that there's been very little follow-up on this particular data breach, whereas much more recent ones have already resulted in fines. It's still possible there's an ongoing saga that can't be alluded to lest it prejudice any legal action, but I'm not holding my breath.
So in conclusion, from my experience of this particular incident, small sample size and all, I fail to see a single iotum of value that the ICO have added.
"Have you actually tried making a complaint to the ICO?"
Yes. Recruitment agency holding my CV without my consent, I don't even know how they got it. It's even possible they were even interfering with a job application by claiming I was under contract with them. Unfortunately recruitment agencies are a big mafia like business that from the UK control the European market for contractors, they are untouchable and ICO refused to take an action.
re Theatre tickets, and other matters.
Pay by CASH. Keep the receipt.
When they ask for a name and address simply make one up. Or use the M-i-L's.
If everyone did it, the "spammers" would have so much useless data, it may cause them to lose heart. Especially if they spoke to the M-i-L.
"When they ask for a name and address simply make one up"
If you give a fake addrees you turn yourself from the victim into the guilty one. At the extreme you could be labelled as fraudster, why should you do that? The theather asking for you address is commiting an abuse, shun them, boycott them, but don't harm yourself for something that is not necessary.
So, if you register as a data processor, submit to audits, do everything right, then you have to pay the ICO.
If you fail to do all that, you get slapped on the wrist, and a stern warning.
How about making those companies and individuals pay for the ICO which are the actual reason why an ICO is needed in the first place? 1£ per customer record lost, 50p for every spam email sent, oh and 10£ per illegal nuisance call. Wouldn't the whole problem just go away then?
Or, keep the current system, but with a money-back guarantee. Being affected by one violation of the DP rules (domestic, within the reach of the ICO) and you get your money back.
The way it is now is more like a protection racket than a just fee.
The problem with outsourcing data collection, is that a brute force attack, can’t be trusted to either hit the mark nor provide accuracy, especially today.
It’s often applied by the inexperienced, in an attempt to shortcut a badly designed process in an attempt for quick enrichment, though in the long-term always proves costly and results in complaint. #utilitycompany
An organisation I am involved with was due to renew registration in September. We didn't receive any renewal notice or information on how to pay. The ICO has simply dropped us off the list of registered organisations. I send an email enquiring. Still waiting for a reply.
Still waiting for a reply.
The fine is in the post.
That's the thing, ignorance is not a defence. Why did this organisation assume that a statutory registration fee was somehow like a recurring item for which you got a regular invoice? I work for a regulated business. We know that we won't get a polite, timely invoice. And we also know that our sector regulator is a bunch of business-hating, public sector, sandal-wearing communists. This means we pay our fees promptly, if unwillingly.
"And we also know that our sector regulator is a bunch of business-hating, public sector, sandal-wearing communists."
Naaa. They are just safe jobs for people with friends in the right place. Then their purpose is just to pay lip service and not disturb friendly businesses.
I fundamentally agree with the reasons and sanctions coming from the GDPR (and our version, the DPA 2018). I'm a data subject, too, and I want spammers and whoever to fear using my data illegally.
Where I have a problem is with people trying to defend the ICO when the ICO had the same two years - probably more - to prepare for the incoming law and are now being seen for the incompetents they actually are.
We have a regulator whose job description includes the 57 (1)(a) requirement to "monitor and enforce the application of this Regulation" and the Art. 57 (1)(d) requirement to "promote the awareness of controllers and processors of their obligations under this Regulation" - both of which are apparently not happening.
We get a radio ad campaign in the month leading up to May 25th and not a fat lot else since. I know that radio air time costs money, but they should have been lobbying for funding to pursue this.
We've had the raid on the Cambridge Analytica offices, with 'enforcement' (intentional quotes) officers apparent with their flashy ICO jackets with "ENFORCEMENT" emblazoned across their back. At this point, one can only presume that ICO stands for "Interesting Coat Outfitters" because - in terms of GDPR - they've done nothing other than flash a couple of windcheaters...
If a data subject complains about a company, a quick review of the company's privacy notice would show the extent to which the company has sought to abide by the regulation. A bad privacy notice should lead to an email advising the company that they are on an list for impending audit. That might focus attention more.
They had at least two years to prepare.
Apologies for the brevity, not intended to be blunt...
Assuming I've not misunderstood:
"ICO stands for "Interesting Coat Outfitters" they've done nothing other than flash a couple of windcheaters..."
Would you count fines & prison sentence in one case as "nothing"?
https://ico.org.uk/action-weve-taken/enforcement/
"requirement to "promote the awareness of controllers and processors of their obligations under this Regulation" - both of which are apparently not happening."
Do Youtube, LinkedIn, Facebook & Twitter count?
https://www.youtube.com/user/icocomms
https://www.linkedin.com/company/information-commissioner's-office/
https://twitter.com/ICOnews?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor
https://www.facebook.com/ICOnews
If this ICO is supposed to be a regulatory body, then why isn't it being funded by the government? Here in the U.S., a regulatory body is funded from the government, and its funding is budgeted. There are taxes (sales tax, income tax) and fees, but nothing like the structure of the ICO in the U.K.