The Information Commissioner’s Office (ICO) supports organisations through online guidance but also with a helpline and chat. More confident organisations can seek a certification or even audit by the ICO.
Those who wish to approach the ICO should do their homework first. With all ducks in a row when contacting the ICO, there is a better chance to make it count.
What does the ICO do?
The ICO is the UK’s independent body set up to uphold information rights for the public in the digital age.
One of the Information Commissioner’s Office primary objectives is to promote best practice. This is achieved in part by providing organisations with advice and guidance. The General Data Protection Regulation (GDPR) also requires supervisory bodies (the ICO is a supervisory body) to establish data protection certification mechanisms and data protection seals and marks for the purpose of demonstrating compliance with the GDPR (Article 42).
The ICO prides itself in always seeking compliance by providing organisations with the help and guidance they need and by promoting good data protection practice. The ICO much prefers to assist organisations to achieve compliance but when necessary will use its enforcement powers.
The ICO is responsible for ten areas of legislation (Acts of Parliament and Regulations) which are as follows:
- Data Protection Act,
- General Data Protection Regulation,
- Freedom of Information Act,
- Environmental Information Regulations,
- eIDAS Regulation,
- Privacy and Electronic Communication Regulations,
- Inspire Regulations,
- Re-use of Public Sector Information Regulations,
- NIS regulations,
- Investigatory Powers Act.
This article will concentrate on how to engage with the ICO to obtain advice, guidance and certification in respect of data protection legislation.
The ICO has a very comprehensive guidance section on their website. The guidance is aimed at the small medium enterprise (SME) starting a data protection journey, data protection officers, national and multi-national data protection professionals and the data protection legal community.
The ICO recommends that those seeking help and support with little data protection knowledge and experience should start with the Frequently Asked Questions (FAQ) section. (SME). For example the first heading in the FAQs section is ‘Getting started with data protection.’ A click on this link opens a further page with seventeen sub headings from ‘Does data protection law apply to my business’ to ‘What does data protection by design and default mean.’
The FAQ page has a further seven areas from ‘Principles and Definitions’ to ‘Data protection and the EU.’
The main data protection guidance index on the ICO website lists twenty four different areas of guidance relative to the Data Protection Act 2018. The Guidance areas are more in depth than the FAQ pages and cover areas such as Anonymisation, Big Data, Binding Corporate Rules, CCTV, Data Sharing, International Transfer, Marketing, Security and Subject Access.
Each guidance area leads to more in depth analysis of the subject. For example the ’Online and Computing Section’ has seven sub headings from ‘Bring your own device’ to ‘Wi-Fi location analytics.’
The ICO has a separate page dedicated to a data protection guide.
Help and support
The ICO also hosts a help line and encourages individuals and organisations to make contact should they require further help or support. There is also a chat line which covers registration enquires and data protection enquires from individuals and organisations. The Help and Chat lines are staffed by experienced data protection case workers.
In 2020/21 the ICO received 319,377 calls to the helpline compared with 395,197 during the previous year. The reduction is attributed to the pandemic.
Request for audit
Organisations may also seek an ICO audit as a means to assess their data protection compliance. An ICO audit provides an assessment of an organisations data protection practice. The ICO audit ‘plays a key role in assisting organisations in understanding and meeting their data protection obligations.’
Following a voluntary audit the ICO will produce a report which will in all likelihood make recommendations detailing how data protection compliance can be improved. It is also likely that the ICO will produce a time frame by which they will expect that the recommendations are actioned. This may take the form of a follow up audit.
The benefit of the audit is that it is an opportunity to obtain an independent view of an organisations data protection practice provided by an experienced audit team at no expense to the organisation.
The ICO encourages organisations to engage with them to improve their data protection practices and compliance.
The ICO publishes summaries of all completed audits on their website.
Certification is a way for an organisation to demonstrate compliance with the UK GDPR.
The UK GDPR says that certification is a means to:
- demonstrate compliance with the provisions on data protection by design and by default,
- demonstrate that you have appropriate technical and organisational measures to ensure data security, and
- to support transfers of personal data to third countries or international organisations.
The ICO encourages the use of data protection certification mechanisms as a means to enhance transparency and compliance with the UK GDPR.
Obtaining certification for data protection processing allows an organisation to be more transparent and accountable. It will also help to create effective safeguards to mitigate data protection risk and protect the rights and freedoms of the data subject.
Applying for certification is voluntary. Certification provides a framework for organisations to follow helping to ensure compliance and offering assurance that specific standards are being followed. Certification will give an organisation a competitive advantage and will mitigate against enforcement action.
Approved certification schemes can be found on the ICO website. At present there are only three approved schemes.
The Regulatory Sandbox
A Sandbox is a testing environment which isolates untested and experimental projects from the real world environment allowing their development in a safe and controlled manner.
The Regulatory Sandbox is a service developed by the ICO to support organisations to deliver new products and services in an innovative and safe way.
The sandbox provides organisations with a free service from the ICO. The sandbox is open to organisations big and small from a number of sectors. Organisations have to apply for the sandbox service. If they are successful they are given the opportunity to engage with the ICO sandbox team. This will allow them to receive advice and guidance on mitigating risks and embedding data protection by design.
There are several clear benefits for organisations who take part in the sandbox. For example organisations will have increased confidence that the finished project will be fully compliant with data protection regulations. Organisations will also benefit from increased consumer trust in their use of personal information. It may also give them an opportunity to inform future ICO guidance.
There are also clear benefits for the ICO. Engaging with business and innovators in the sandbox allows the ICO to have an involvement in new technology and innovation and the challenges that these may present.
The ICO is always keen to assist organisations to achieve a competent level of data protection compliance. The guidance section is regularly updated to reflect new technology and legislation. On occasions where regulatory action has shown that a particular area requires clarification and direction the ICO will publish further guidance.
The help and chat lines are very popular and where an enquiry cannot be answered on the telephone the query will likely be passed to the relevant department within the ICO.
The regulatory sandbox offers great benefits for participants as well as the ICO and the professional public. However, a good level of preparedness is recommended before engaging on difficult data protection questions.
Mick Gorrill is a data protection Pro DPO