UK Privacy Regulator Names and Shames Breached Firms

Written by

The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.

The data, available from Q4 2021 onwards, includes the organization’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome, explained Ropes & Gray associate Edward Machin.

“Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar,” he argued.

“Understanding whether their breach or complaint will be publicized by European regulators is one of – if not the – main concern that organizations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.”

Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe, argued Machin.

He said that in future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.

The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months.

In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year, according to data collected by law firm RPC.

“The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data,” noted RPC partner Richard Breavington.

“While the regulator took a more measured approach to sanctions during the pandemic, this attitude of forbearance appears to be changing.”

Information commissioner, John Edwards, has been forced to defend his new approach to public sector which equates to more education and fewer fines.

What’s hot on Infosecurity Magazine?