Can the ICO handle the truth?

09 Apr 2018

This article first appeared on Thomson Reuters Regulatory Intelligence on 03 April 2018.

"Tell it all, tell it fast, tell the truth." — a refrain familiar to any organisation regulated in the UK.

The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) demand openness and cooperation. The National Crime Agency (NCA) carries carrots and sticks to incentivise reports of known or suspected money laundering. The Office of Financial Sanctions Implementation (OFSI) wants to hear about sanctions breaches, HM Revenue and Customs cares about tax evasion and the Serious Fraud Office (SFO) threatens prosecution for any organisation that keeps quiet about a past involving bribery.

This year, however, that refrain comes from another regulator, the Information Commissioner's Office (ICO), which has joined the reporting chorus. With new powers under the General Data Protection Regulation (GDPR) from May 2018, the ICO will require organisations to report personal data breaches to it without undue delay, where these are likely to result in a risk to people's rights and freedoms. In addition, if the breach is judged to be high-risk, the ICO may advise, and indeed order, organisations to report the breach to the affected individuals.

In recent days, the ICO has shown new resolve, and attracted considerable publicity, by urgently seeking a warrant to search Cambridge Analytica and asking parliament for additional powers of investigation. But can the ICO manage the anticipated increase in data breach reports, even with new intimidating powers and penalties, from May 2018? 

>To read the full article please click here