It is nearly ten years ago that the MPs expenses scandal broke. The result was wholesale public distrust in MPs and the formation of a new regulator called the Independent Parliamentary Standards Authority (IPSA). The ISPA are in the news this week by failing to be transparent when 377 MPs have had their parliamentary credit cards blocked over issues with expenses claims. A whole host of commentators are suggesting that they are weak and have systems as bad as the ones before the formation of the IPSA.
As IPSA’s former Interim Operations Director, charged with the security of data, staff and facility, as well as the processing expenses and salary transactions and making the new scheme operational, the actions of the regulator, in this case IPSA does not surprise me. Regulators are somewhat like swans, looking serene on the outside but great big flippers and paddles underneath working very hard pushing the body along.
Since my time at the IPSA I have worked for a second UK regulator the Care Quality Commission (CQC) and they confirmed my thoughts. A lack of enforcement does not mean a lack of investigation and a regulator politically cannot exist for long without “meaningful and tangible” enforcement to keep their political masters happy.
There is currently unrest in the industry over the seemingly lack of inaction of the UK Data Protection regulator the ICO. The view out there forwarded by some is that GDPR was all smoke and mirrors and that the ICO is a toothless tiger, only interested in the big picture and headline grabbers (Facebook) and as a result organisations have become ambivalent in their investment in Data Protection.
Some organisations approached said their lack of inactivity and investment in Data Protection was either wasted or pointless and they have better things to spend their limited resources on. The public sector is most prevalent in this from my experience of working directly with them.
Like IPSA, the ICO work very hard, investigations take time and money. Like the ISPA, why would the ICO want to expose all the activity they are working on and blow the cases they have so diligently worked on for months. This defence, however, can only last so long. as regulators are driven by:
- Politics – Whatever they say about independence, political interference always takes place. They are, after all, funded by the State. My experience tells me that the hotline to the DCMS is ‘luke-warm’ at the moment.
- Public opinion – Regulators love a big news story, they love a “big cheese” in a headline, however they will need to be 100% watertight with their case as they tend to have expensive lawyers that will blow the ICO budget. So decisions are often taken on cost and public interest and no lightly.
- Low hanging fruit – Believe it or not low hanging fruit does not mean big corporations, it means quick no appeal enforcement, appeals cost time, money and large corporations are better equipped to appeal. Smaller organisations be warned you are easy prey and snack food.
- Public sector – Public sector organisations are the easiest to hit with enforcement. They should know better, they would often take the enforcement on the chin and come lightly without the need for cuffs. The fines are often ‘wooden dollars’. It makes a great news story and often costs someone his or her job. So be warned!
- Cost – Public sector bodies are under the cosh in terms of spending. The ICO needs to undertake a clear strategy based upon limited resources to develop a policy to deliver effective enforcement. GDPR is as accountability framework and how best to leverage that which is cost effective is the challenge for now.
The ICO is already behind most of the EU regulators in GDPR enforcement action. We have already seen the ramping up of media about ICO enforcement, but once again GDPR enforcement news is light touch. The enforcement tends to be PECR or the 1998 Act.
Regulators risk stratify using understandable metrics such as public interest, deterrence, ability to secure enforcement, risks to data subjects, cost etc so within the ICO this exercise will have been undertaken and key areas are already being targeted. (Review list above for likely suspects).
We should not forget that Facebook and Cambridge Analytical sucked up vital ICO resources. However, this reason for perceived inaction can only last so long as the credibility of our regulator is on the line here. Whilst a “big fine” for a “big cheese” would make a great headline most of us want the enforcement to concentrate on those who look after our most vulnerable data often found in our health services, schools, colleges, universities, police services and workplaces.
The jury is out, keep attacking.
Nigel Gooding FERPI is Founder and Chief Data Protection Officer at the Data Privacy Advisory Service, Nigel is also the UK Chair of the European Risk Policy Institute.