Category Archives: Information Commissioner

The wheels of the Ministry of Justice

do they turn so slowly that they’ll lead to the Lord Chancellor committing a criminal offence?

On 21 December last year, as we were all sweeping up the mince piece crumbs, removing our party hats and switching off the office lights for another year, the Information Commissioner’s Office (ICO) published, with no accompanying publicity whatsoever, an enforcement notice served on the Secretary of State for Justice. The notice drew attention to the fact that in July 2017 the Ministry of Justice (MoJ) had had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. And by November 2017 that had barely improved – to 793 cases dating back to 2014.

I intended to blog about this at the time, but it’s taken me around nine months to retrieve my chin from the floor, such was the force with which it dropped.

Because we should remember that the exercise of the right of subject access is a fundamental aspect of the fundamental right to protection of personal data. Requesting access to one’s data enables one to be aware of, and verify the lawfulness of, the processing. Don’t take my word for it – look at recital 41 of the-then applicable European data protection directive, and recital 63 of the now-applicable General Data Protection Regulation (GDPR).

And bear in mind that the nature of the MoJ’s work means it often receives subject access requests from prisoners, or others who are going through or have been through the criminal justice system. I imagine that a good many of these horrendously delayed requests were from people with a genuinely-held concern, or grievance, and not just from irritants like me who are interested in data controllers’ compliance.

The notice required MoJ to comply with all the outstanding requests by 31 October 2018. Now, you might raise an eyebrow at the fact that this gave the MoJ an extra eight months to respond to requests which were already incredibly late and which should have been responded to within forty days, but what’s an extra 284 days when things have slipped a little? (*Pseuds’ corner alert* It reminds me of Larkin’s line in The Whitsun Weddings about being so late that he feels: “all sense of being in a hurry gone”).

Maybe one reason the ICO gave MoJ so long to sort things out is that enforcement notices are serious things – a failure to comply is, after all, a criminal offence punishable on indictment by an unlimited fine. So one notes with interest a recent response to a freedom of information request for the regular updates which the notice also required MoJ to provide.

This reveals that by July this year MoJ had whittled down those 793 delayed cases to 285, with none dating back further than 2016. But I’m not going to start hanging out the bunting just yet, because a) more recent cases might well be more complex (because the issues behind them will be likely to be more current, and therefore potentially more complex, and b) because they don’t flaming well deserve any bunting because this was, and remains one of the most egregious and serious compliance failures it’s been my displeasure to have seen.

And what if they don’t clear them all by 31 October? The notice gives no leeway, no get-out – if any of those requests extant at November last year remains unanswered by November this year, the Right Honourable David Gauke MP (the current incumbent of the position of Secretary of State for Justice) will, it appears, have committed a criminal offence.

Will he be prosecuted?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Data Protection, Directive 95/46/EC, GDPR, human rights, Information Commissioner, Ministry of Justice, Uncategorized

Prospective customers and PECR

Who is a “prospective customer”, and can businesses rely on the PECR soft opt-in to send such persons unsolicited direct electronic marketing?

The law says – in terms – that one cannot send unsolicited direct marketing by electronic means (for instance by email) to an email address belonging to an “individual subscriber” (in broad terms, this will be a person’s home, or private, email address) unless the recipient has consented to receive it, or if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient, the marketing is in respect of the sender’s similar products and services only and the recipient was given the option to opt out of such marketing at the time their details were collected, and in any subsequent communication. This is what regulation 22 of the Privacy and Electronic Communications (EC Directive) 2003 (PECR) says, and has done for fifteen years (the General Data Protection Regulation (GDPR) has slightly altered what is meant by consent, but, other than that, is largely irrelevant here).

For the purposes of this blog post I want to focus on the following words in italics:

…if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service…

This clearly means that direct electronic marketing can be sent, in appropriate circumstances, to someone who is not yet, and indeed might not ever become, an actual retail customer of the sender.

In light of this, I’m surprised to note the following words in the Information Commissioner’s Office’s guidance on PECR

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts

It seems to me that “prospective customers” is capable of a range of meanings. On one hand, a prospective customer might be (as the ICO goes on to mention as an example) someone from a bought-in contact list, and with whom the sender who proposes to send electronic marketing has no relationship whatsoever. But, on the other hand, someone who enters into “negotiations for the sale of a product or service” is surely also a “prospective customer”?

I can’t see the ICO’s guidance here as anything but confusing and potentially misleading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under consent, Information Commissioner, PECR

GDPR – an unqualified right to rectification?

Can FCA – or any data controller – any longer argue that it’s too expensive to have to rectify inaccurate personal data?

Amidst all the hoo-ha about the General Data Protection Regulation (GDPR) in terms of increased sanctions, accountability requirements and nonsense about email marketing, it’s easy to overlook some changes that it has also (or actually) wrought.

One small, but potentially profound difference, lies in the provisions around accuracy, and data subjects’ rights to rectification.

GDPR – as did its predecessor, the 1995 Data Protection Directive – requires data controllers to take “every reasonable step” to ensure that, having regard to the purposes of the processing, personal data which are inaccurate are erased or rectified without delay. Under the Directive the concomitant data subject right was to obtain from the controller, as appropriate the rectification, erasure or blocking of data. Under Article 16 of GDPR, however, there is no qualification or restriction of the right:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

I take this to mean that, yes, a controller must in general only take every reasonable step to ensure that inaccurate data is rectified (the “proactive obligation”, let us call it), but, when put on notice by a data subject exercising his or her right to rectification, the controller MUST rectify – and there is no express proportionality get-out (let us call this the “reactive obligation”).

This distinction, this significant strengthening of the data subject’s right, is potentially significant, it seems to me, in the recently-reported case of Alistair Hinton and the Financial Conduct Agency (FCA).

It appears that Mr Hinton has, for a number of years, been pursuing complaints against the FCA over alleged inaccuracies in its register of regulated firms, and in particular over an allegation that

a register entry which gave the impression both him [sic] and his wife were directors of a firm which the regulator had publicly censured

This puts into rather simple terms what appears to be a lengthy and complex complaint, stretching over several years, and which has resulted in three separate determinations by the Financial Regulators Complaints Commissioner (FRCC) (two of which appear to be publicly available). I no doubt continue to over-simplify when I say that the issue largely turns on whether the information on the register is accurate or not. In his February 2017 determination the FRCC reached the following conclusions (among others)

You and your wife have been the unfortunate victims of an unintended consequence of the design of the FSA’s (and now FCA’s) register, coupled with a particular set of personal circumstances;

…Since 2009 the FSA/FCA have accepted that your register entries are misleading, and have committed to reviewing the register design at an appropriate moment;

Although these findings don’t appear to have been directly challenged by the FCA, it is fair to note that the FCA are reported, in the determinations, as having maintained that the register entries are “technically and legally correct”, whilst conceding that they are indeed potentially misleading.

The most recent FRCC determination reports, as does media coverage, that the Information Commissioner’s Office (ICO) is also currently involved. Whilst the FRCC‘s role is not to decide whether the FCA has acted lawfully or not, the ICO can assess whether or not the FCA’s processing of personal data is in accordance with the law.

And it occurs to me that the difference here between the Directive’s “reactive obligation” and GDPR’s “reactive obligation” to rectify inaccurate data (with the latter not having any express proportionality test) might be significant, because, until now, FCA has apparently relied on the fact that correcting the misleading information on its register would require system changes costing an estimated £50,000 to £100,000, and the FRCC has not had the power to challenge FCA’s argument that the cost of “a proper fix” was disproportionate. But if the Article 16 right is in general terms unqualified (subject to the Article 12(5) ability for a controller to charge for, or refuse to comply with, a request that is manifestly unfounded or excessive), can FCA resist a GDPR application for rectification? And could the ICO decide any differently?

Of course, one must acknowledge that there is a general principle of proportionality at European law (enshrined in Article 5 of the Treaty of the European Union) so a regulator, or a court, cannot simply dispense with the concept. But there was clearly an intention by European legislature not to put an express qualification on the right to rectification (and by extension the reactive obligation it places on controllers), and that will need to be the starting point for any assessment by said regulator, or court.

 

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, GDPR, Information Commissioner

(Data)setting an example

Is the ICO failing to comply with its own obligations under FOI law?

Some UK regulators are subject to the laws or rules they themselves oversee and enforce. Thus, for example, the Advertising Standards Authority should avoid advertising its services in contravention of its own code of advertising practice, the Environment Agency should avoid using a waste carrier who is not authorised to carry waste, and the Information Commissioner (ICO) – as a public authority under Schedule 1 of the same – should not breach the Freedom of Information Act 2000 (FOIA). However, I think I can point to numerous examples (I estimate there are 57 on its own website at the time of writing this) where the last has done precisely this, possibly unknowingly, or – if knowingly – with no contrition whatsoever.

In 2012 sections 11 and 19 of FOIA were amended by the Protection of Freedoms Act 2012 (POFA). POFA inserted into FOIA what are colloquially known as the “dataset provisions”. For our purposes here, what these say is that

Under its publication scheme a public authority should publish datasets that have been requested [under FOIA], and any updated versions it holds, unless it is satisfied that it is not appropriate to do so.

In short – and I take the wording above from ICO’s own guidance – if someone asks ICO for a dataset under FOIA, ICO must disclose it, put it on its website, and regularly update it (unless it is “not appropriate” to do so).

“Dataset” has a specific, and rather complex, meaning under POFA, and FOIA. However, the ICO’s own guidance nicely summarises the definition:

A dataset is a collection of factual information in electronic form to do with the services and functions of the authority that is neither the product of analysis or interpretation, nor an official statistic and has not been materially altered.

So, raw or basic data in a spreadsheet, relating to an authority’s functions, would constitute a dataset, and, if disclosed under FOIA, would trigger the authority’s general obligation to publish it on its website and regularly update it.

Yet, if one consults the ICO’s own disclosure log (its website page listing FOI responses it has made “that might be of wider public interest”), one sees multiple examples of disclosures of datasets under FOI (in fact, one can even filter the results to separate dataset disclosures from others – which is how I got my figure of 57 mentioned above) yet it appears that none of these has ever been updated, in line with section 19(2A)(a)(ii) of FOIA.

Some of the disclosures on there are of datasets which are indeed of public interest. Examples are: information on how many FOI etc requests ICO itself receives, and how timeously it handles them; information on the numbers and types of databreach reports ICO receives, and from which sectors; information on how many monetary penalties have been paid/recovered.

It’s important to note that these 57 disclosures are only those which ICO has chosen, because they are “of wider public interest”, to publish on its website. There may well be – no doubt are – others.

But if these dataset disclosures are, as declared, of wider public interest, I cannot see that ICO could readily claim that its reason for not updating them is because it is “not appropriate” to do so.

It may be that ICO feels, as some people have suggested, that the changes to FOIA wrought by POFA might not have met any pressing public demand for amended dataset-access provisions, and, therefore, compliance with the law is all a bit pointless. But there would be two problems with this, were it the case. Firstly, ICO is uniquely placed to comment on and lobby for changes to the law – if it thinks the dataset provisions are not worth being law, then why does it not say so? Secondly, as the statutory regulator for FOIA, and a public authority itself subject to FOIA, it is simply not open to it to disregard the law, even were it to think the law was not worth regarding.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, datasets, Freedom of Information, Information Commissioner

FOI needs a strong regulator

Slightly more than twenty working days ago I made a request to a government department under the Freedom of Information Act 2000. Following the structure of section 1(1) of the same, I asked

Please confirm whether you hold [X information] regarding [Y]

If you hold this information, please disclose it.

There are relatively mundane reasons why I am keen to know the first point, and, following on from that, to have the information if it exists.

On the twentieth working day (give or take a bank holiday or two) I received a reply to the first point, but total silence on the second:

I can confirm that [government department] does hold [X information] regarding the [Y].

Although this is rather a bizarre approach to an FOI request (FOIA is after all, primarily about access to information, not just knowledge that it exists) I have no reason to think that the failure to note the second point of my very short request was anything other than an innocent mistake.

Accordingly, I pointed the mistake out to the government department, asking them to send the information by return. (I had to do this by email, because no phone number is given on the correspondence or on the relevant (sparse) website (query whether the service is accessible, therefore, to people who may have difficulties in communicating in writing.)) However, not only did I not get the information by return, I got a template reply, and a new reference number, indicating that my follow-up email is being treated as a wholly new request. I would not be surprised for it to take another twenty working days to get a substantive reply (if I’m wrong, I will update this post accordingly).

So what to do? Well, I could complain to the government department, or ask for an internal review, but that would likely take at least another twenty working days to get a response. I could complain to the Information Commissioner’s Office, but, anecdotally, I understand they are taking some months to allocate and deal with complaint, and the only likely outcome would be a declaration that the government department had failed to comply with its section 10 and section 17 FOIA obligations, and giving them another period of days to comply. I can’t make an application for judicial review because a) the idea is completely ridiculous (have you seen my bank balance?) and b) in March the High Court rather peremptorily dismissed an argument that JR should be available for FOIA cases of urgency (on the grounds that the right of appeal under the statutory scheme was sufficient.

And FOIA delays are not isolated incidents; the BBC’s Martin Rosenbaum has written recently, following up his and others’ research, about the apparent contempt with which some public authorities treat FOIA and the Information Commissioner. Yet the latter appears unwilling, despite having the powers to do so, to act. As the Campaign for Freedom of Information recently noted, her recent draft regulatory action policy effectively ignored the fact that she is responsible for FOIA regulation, as well as for data protection and eprivacy.

Data protection and privacy are certainly hot topics (try counting the number of arriviste consultants who’ve sprung up over the last year to get an idea of how hot) but freedom of information laws are a legislative expression of another fundamental human right. I don’t think it’s the case that as a society we just don’t care about FOI (look back to the MPs’ expenses scandal to see how important and high-profile it can be) so why is it that there appears to be no effective mechanism to enforce our rights in a timely way against a recalcitrant public authority?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

5 Comments

Filed under access to information, Article 10, Freedom of Information, Information Commissioner, Uncategorized

It’s all about the fineszzzzz

It can be unwise to make too much of reported and/or throwaway remarks, but I’m going to look at a recent reported, and possibly throwaway, remark by a senior manager from the Information Commissioner’s Office (ICO) at a recent Law Society conference on the General Data Protection Regulation (GDPR).

Giving “A perspective from the ICO” Richard Nevinson, Group Manager for Policy and Engagement, was reported by the Law Society Gazette to have said, on the subject of potential administrative fines under GDPR

If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR

This perhaps doesn’t at first blush sound that notable: the Commissioner herself – Elizabeth Denham – has been at pains, over the months leading up to GDPR coming into direct effect, to stress that, although the maximum fine will increase from £500,000 to €20m or 4% of annual global turnover (whichever is larger), such fines are not her focus:

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense

(despite this, somecommentators have continued to employ such “nonsense”).

What Nevinson said though, goes further than anything I’ve seen so far from the ICO. Because, if what he is reported to have said is correct, it would mean that we should see no change in frequency or amount of fines, unless there is a contravention on an unprecedented scale. The highest fine levied under the existing Data Protection Act 1998 (DPA) has been £400,000 (twice – once to Talk Talk and once to Carphone Warehouse) – only 80% of the current maximum. This means that the ICO cannot feel that the current maximum sets a cap which frustrates them by preventing them from issuing higher fines. One would assume, therefore, that the ICO would (must?) see GDPR’s legislative intent as being to “scale up” fines in some way. But no – says Nevinson – £X under DPA will equate to £X under GDPR.

Following that line of argument, as we have never seen a fine of £500,000 under DPA we will not see one of that size (or higher) under GDPR, unless a contravention emerges that is worse than anything seen before.

I may be wildly over-analysing what he was reported to have said, but I thought it noteworthy enough to blog about it at 06:00 in the morning, so I thought you might too.

Oh, and Nevinson might not be right or might not have been accurately reported, and I definitely might not be right. So you’d be silly to pay too much attention, and you certainly shouldn’t forget about the risks that fines may represent under GDPR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under 7th principle, Data Protection, GDPR, Information Commissioner, monetary penalty notice

The “GDPR consent” email I’d like to receive

“Dear Jon

You know us. We’re that firm you placed an order with a few months ago. You may remember that at the time we took your order we explained we were going to send occasional marketing emails to you about similar products and services, but you could opt out then, and at any subsequent point.

We know that since 2003 (with the Privacy and Electronic Communications Regulations) (PECR) it’s been unlawful to send unsolicited marketing emails except in circumstances like those above.

We’re contacting you now because we’ve noticed a lot of competitors (and other firms) who are either utterly confused or utterly misrepresenting a new law (separate to PECR) called the General Data Protection Regulation (GDPR). They’re claiming it means they have to contact you to reconfirm your consent to receive marketing emails.

GDPR actually says nothing of the sort. It does explain what “consent” means in data protection terms in a slightly more strict way, but for companies like us, who’ve respected our customers and prospective customers all along, it makes no difference.

In fact, the emails you’re getting from those companies, asking you to “reconsent”, are probably actually direct marketing emails themselves. And if the companies don’t already have your consent to send them they may well be breaking the law in sending them. If you think we’re exaggerating, look at the fine the Information Commissioner’s Office (ICO) levied on Honda last year.

In fact, you’d do well to look at the ICO’s website – it’s got some good stuff on this, both for customers like you, and for companies who are confused by this.

It all really boils down to treating customers well, and not assuming you can send direct electronic marketing without actually looking at what the law says.

So yes, this is a marketing email, and yes, it is lawful, and yes, it is more than a little pompous.”

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

12 Comments

Filed under consent, GDPR, Information Commissioner, marketing, PECR, spam

Rennard, the facts

Has the former LibDem Campaigns guru been engaging in unsolicited electronic marketing?

If I want to market my product or service to you as an individual, the general rule is that I cannot do so by email unless I have your prior consent informing me that you wish to receive it. This applies to me (if, say, I’m promoting this blog by email), it applies to any business, it applies to political parties, and it also applies to Baron Rennard of Wavertree, when he is promoting his new memoirs. However, a recent media story about the Lord Rennard’s promotional activities suggests he may not be aware of his legal obligations here, and for someone who has held senior roles within the Liberal Democrats, someone renowned as a “formidable and widely respected practitioner of political campaigning”, this is rather concerning.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing (the exception to the general rule is that email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient” and if it is explained to the recipient that they can opt out – this is often known as the “soft opt-in“).

Lord Rennard is reported as saying

I have emailed people from my address book, or using publicly available email addresses, about the publication of a volume of memoirs

But just because one already holds someone’s email address, or just because an email address is in the public domain, this does not justify or permit the sending of unsolicited marketing. The European Directive which the PEC Regulations implement makes clear that people have a right to respect for their correspondence within the context of electronic communications, and that this right is a part of the fundamental rights to respect for protection of personal data, and respect for a private and family life. It may be a lot to expect the average person sending an email promoting a book to know this, but when the sender is someone whose reputation is in part based on his skills as a political campaigner, we should surely expect better (I say “in part” because, of course, the Lord Rennard is known for other things as well).

At a time when the use of digital data for political campaigning purposes is under intense scrutiny, it will be interesting to see what the Information Commissioner (who is said to be investigating Rennard’s marketing exercise) says. It might not seem the most serious of issues, but it encapsulates a lot.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Information Commissioner, marketing, PECR

On the breach

Failure to notify the ICO in a timely manner of a personal data breach under PECR carries a £1000 fixed penalty notice – why not something similar under wider data protection law?

When the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were amended in 2011 to implement the Citizens’ Rights Directive, an obligation was placed upon providers of a public electronic communications service  (“service providers”) to notify personal data breaches to the Information Commissioner’s Office (ICO) “without undue delay”, and in 2013 article 2(2) of European Commission Regulation 611/2013 provided , in terms, that “without undue delay” would mean “no later than 24 hours after the detection of the personal data breach, where feasible”. The 2011 amendment regulations also gave the ICO the power to serve a fixed penalty notice of £1000 on a service provider which failed to comply with notification obligations.

Thus it was that in 2016 both EE and Talk Talk were served with such penalties, with the latter subsequently unsuccessfully appealing to the Information Tribunal, and thus it was that, last week, SSE Energy Supply were served with one. The SSE notice is interesting reading – the personal data breach in question (defined in amended regulation 2 of PECR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”) consisted solely of the sending of one customer email (containing name and account number) to the wrong email address, and it appears that it was reported to the ICO two days after SSE realised (so, effectively, 24 hours too late). If this appears harsh, it is worth noting that the ICO has discretion over whether to impose the penalty or not, and, in determining that she should, the Commissioner took into account a pour encourager les autres argument that

the underlying objective in imposing a monetary penalty is to promote compliance with PECR. The requirement to notify…provides an important opportunity…to assess whether a service provider is complying with its obligations under PECR…A monetary penalty in this case would act as a general encouragement towards compliance…

As any fule kno, the looming General Data Protection Regulation (“GDPR”) expands to all data controllers this obligation to notify the ICO of qualifying personal data breaches. Under GDPR the definition is broadly similar to that in PECR (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) and a breach qualifies for the notification requirements in all cases unless it is “unlikely to result in a risk to the rights and freedoms of natural persons”. Under GDPR, the window for notification is 72 hours.

But under GDPR, and under the Data Protection Bill currently in Parliament, there is no provision for similar fixed penalty notices for notification failures (although, of course, a failure to notify a breach could constitute a general infringement under article 83, attracting a theoretical non-fixed maximum fine of €10m or 2% of global annual turnover). Is Parliament missing a trick here? If the objective of the PECR fixed penalty notice is to promote compliance with PECR, then why not a similar fixed penalty notice to promote compliance with wider data protection legislation? In 2016/17 the ICO received 1005 notifications by service providers of PECR breaches (up 63% on the previous year) and analysing/investigating these will be no small task. The figure under GDPR will no doubt be much higher, but that is surely not a reason not to provide for a punitive fixed penalty scheme for those who fail to comply with the notification requirements (given what the underlying objective of notification is)?

I would be interested to know if anyone is aware of discussions on this, and whether, as it reaches the Commons, there is any prospect of the Data Protection Bill changing to incorporate fixed penalties for notification failures.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, Data Protection Bill, enforcement, GDPR, Information Commissioner, monetary penalty notice, PECR

My small business advice…let’s be blunt.

In recent months I’ve seen plenty of articles and comments, on regular and social media, to the effect that either the government, or the Information Commissioner’s Office (ICO), or both, must do more to educate businesses about the General Data Protection Regulation (GDPR) and to help them comply with its requirements.

My response to this is blunt: when setting up and when running a business, it is for the owner/directors/board to exercise appropriate diligence to understand and comply with the laws relating to the business. Furthermore, the costs of this diligence and compliance have to be factored into any new or ongoing business plan. Even more bluntly – if you can’t afford to find out what the applicable law is, and you can’t afford to comply, then you haven’t got a viable business.

(Less bluntly, there is of course a wealth of information, mostly from the ICO, about what GDPR means and how to comply. Ultimately, however, data protection law is principles-based and risk-based and no one but those responsible for running it can reasonably say what compliance means in the context of that particular business).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner