Is the ICO meeting the needs of the individual when it comes to data breaches?
Our managing director Kingsley Hayes has been keeping a close eye on the key data privacy trends that our firm has seen since the General Data Protection Regulation (GDPR) came into force. And he believes that the Information Commissioner's Office's (ICO) approach to data breach enforcement isn't yet meeting the needs of the individual. But could things be about to change?
What are we seeing?
At Hayes Connor Solicitors, we have received thousands of enquiries from customers who have suffered as a direct result of a high-profile data breach. And, every day we are also helping the victims of smaller data breaches. Breaches that are causing misery and upset to people across the UK.
So, as you can imagine, our expert data protection solicitors pay close attention to how the ICO has responded to data breaches of all types and sizes.
In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians. And to make sure that organisations take appropriate action in the aftermath of any breach.
But, while we understand this approach, we also believe that the still ICO requires education on the lasting and full impact of data breaches. Because to date, the experience of the individual is still being downgraded.
Is emotional distress being taken into account by the ICO?
As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.
For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made. And despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred.
Unfortunately, for those involved in this case, the ICO's response was less than satisfactory.
Are things about to change?
We hope that, as time progresses, so too will the ICO's approach. And there are signs that things are changing.
For example, earlier this year the ICO sent a warning shot to all organisations that - while unlikely to make any headlines - has wide-reaching implications.
In this case, the regulator took legal action against a housing developer. The developer had failed to comply with an Enforcement Notice which had been served by the ICO in relation to a failed subject access request. Under data protection laws, such a request allows an individual to request a copy of all the personal information an organisation holds about them.
The ICO won this case, and the developer was ordered to pay a fine and prosecution costs.
Crucially, by supporting the individual and taking robust action in this matter, the ICO demonstrated that it is intent on pursuing any organisation which is not taking its data protection obligations seriously.
However, the role of the ICO is to uphold information rights in the interest of the public and manage the complaints process. To do this effectively it must understand the various psychological effects that data breaches can have on individuals.
Thankfully, over the last few years, people are waking up to the reality of mental health. And there is a greater awareness about the lasting effects of psychological suffering and anguish. But more still needs to be done.
Education is vital
According to renowned clinical psychologist and visiting professor in law and psychology at Birmingham City University School of Law, Professor Hugh C. H. Koch education is crucial to ensure the needs of the individual are met. He said:
"Education within the legal media, both written and digital, concerning the psychological effect of data breaches reinforced at legal educational meetings and conferences will raise the bar of how much lawyers know and understand about data breach effects."
Until then, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too.
Leading by example
At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue and educating people and businesses to prevent similar mistakes from happening.
Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call to discuss your case in more depth.