It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 6, 2022
Published: January 6, 2021
The Information Commissioner's office regulates privacy and data protection in the U.K.
The Information Commissioner’s Office might not be a pop-culture term, but it’s certainly well known to anyone following privacy and data protection. That’s because it’s the U.K.’s data protection authority, and changes in global and local laws in recent years have allowed it to take actions garnering headlines in local and global newspapers.
It’s also one of the most active data protection authorities, and it gained a bit of mainstream fame when its enforcement officers raided the offices of Cambridge Analytica, the infamous data analytics firm behind Facebook’s data breach in 2014. The pictures of the ICO team entering the London-based firm won’t soon be forgotten; The Guardian spread featured a shot of enforcement agents, back-to the camera, their company jackets bearing “ICO Enforcement” in bright white letters across the shoulders. It was like seeing the FBI invade a drug ring. In fact, agents searched the firm for seven hours straight.
It was an image that said to the world: the U.K ICO, led by Commissioner Elizabeth Denham, is serious about enforcement.
Despite the optics, ask the question generally among those informed, "Is the ICO the most effective data protection authority?" and you're bound to get a split vote.
That’s because “effective” is a relative term.
In the last year, the ICO has taken up 1,039 decision notices. Though the ICO has taken up enforcement actions against companies like Cambridge Analytica, U.K. Ticketmaster, British Airways and Marriott International, the general complaint from privacy advocates is typically that the ICO sticks to enforcing data breaches and isn’t as active in privacy enforcement more broadly.
To be fair, the ICO enforcement actions were big newsmakers. Under its mandate to enforce the EU General Data Protection Regulation, the data protection authority fined Ticketmaster £1.25 million for failing to protect customer payment data. More significantly, it fined British Airways £183 million and Marriott International £18.4 million for their respective data breaches.
But there are always going to be folks who disagree on enforcement actions. When the Federal Trade Commission settled with Facebook for $5 billion last year, half of the pundits would cite its record-breaking fine, and half would be quick to note that $5 billion is nothing to a tech giant like Facebook.
For those who can’t agree on whether the ICO is the most “effective” regulator, there’s likely more consensus over whether the ICO is one of the most active regulators. It issues guidance on how to follow data protection laws prolifically. Anyone following the topic will notice releases from the commissioner’s office almost weekly. Its 2019 guidance on deploying cookies under the GDPR was highly anticipated, for example, as cookies were increasingly facing scrutiny for controversy over the technology's legality once the GDPR came into force in 2018.
And no story about the U.K. would be complete without mentioning Brexit. The ICO has an important role guiding organizations through the transition period. The once free-flowing data allotment from member states to the U.K. will change. There was great fear that the U.K. would immediately be deemed "inadequate," a designation given to countries whose standards don't meet the high standard of the GDPR. But this week, a crises was averted when U.K. lawmakers signed a post-Brexit deal with the EU. It allows the European Commission to take an additional six months to evaluate the U.K.'s adequacy.
That’s important, because while the laws the ICO enforces, including the EU General Data Protection Regulation and the U.K. Data Protection Act, can be complicated, nuanced, and situation-specific. There’s no shortage of privacy professionals and corporate lawyers scrambling for answers on how regulators might view and then enforce various provisions of both laws.
Luckily for the ICO, it has a healthy team of more than 500. It's funded mainly by a provision in U.K. data protection law requiring organizations to pay a data protection fee. That accounts for 85 to 90 percent of the ICO’s budget. Additionally, the agency receives supplemental grants-in-aid from the U.K. government to fulfill freedom-of-information requests. In fiscal year 2019 to 2020, the ICO estimates it collected roughly £46,560,000 through the data protection fee and £4,626,000 from that supplemental income.
The ICO is a member of the European Data Protection Board, the group of EU data protection authorities charged with enforcing the EU GDPR. The board works together to try and harmonize enforcement across member states and also acts as a dispute resolution body in cases where a problem can't be resolved by a specific DPA.
While Brexit will surely shake up the regulatory stage slightly — the ICO will no longer take part in the European Data Protection Board as it leaves the EU — there's no indication the regulator has any plans to slow its role as a leader as an enforcer of data privacy and data protection law. And as the ICO generates headlines and issues fines, its global counterparts are incentivized to "keep up with the Joneses." And that's good news for data subjects everywhere.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.