Data protection enforcement has seemingly now been put on hold in the UK with the Information Commissioner's Office (ICO) informing complainants that cases will no longer be investigated throughout the remaining lockdown period.
Just last month the ICO announced that it would be adjusting its approach to data protection enforcement during these times of uncertainty by shifting their focus to the most serious cases with the largest predicted impacts, allowing them to put less strain on their limited resources. The company also noted that, due to many organisations having significantly reduced operational resources and financial income during this time, there will likely be lower financial penalties placed and more consideration given to whether enforcement action is appropriate all together.
Despite these changes to their approach, the ICO emphasises that companies and independent users should still continue to report breaches as they would under normal circumstances, but observers claim that operations seem to have stopped completely.
Over the last month the ICO has been informing complainants directly that they are no longer taking forward any cases, sparking complaints from activists at the Open Rights Group (ORG) in response to a particular adtech investigation facing delays and potential reductions in fines. Writing to the ICO, the Executive Director at ORG stated, "The strain on external organisations should be a factor in their policies, but it can't be an overriding one - especially when a lot of the response to COVID is all about processing personal data."
This complaint came just after a letter supposedly sent from the ICO to a lawyer filing a data protection complaint, which included the following:
"Unfortunately, I am not able to write to [the company in question] for further information about your complaint and their information right practices, at present. This is because, as you are aware, the coronavirus pandemic is putting unprecedented pressure on all organisations and a great many are either suspending activity or having to prioritise resources. We have therefore decided not to take forward any complaints that require organisations to take action or respond to enquiries from us until the situation improves."
Although understandable that the ICO must adjust some approaches in relation to the huge changes to daily operations that so many companies are facing right now, this does raise concerns that users may adopt the mindset that they can overlook data protection in the short term as they won't have to face the repercussions.
Are Operations Continuing?
Despite the letter shared above, a spokesperson for the ICO has clarified that the company is still pursuing new investigations, stating, "Since the COVID-19 pandemic started, we have only paused under ten percent of cases and investigations. These are specific cases where progressing regulatory activity may not be possible or appropriate during a global health emergency."
This statement is also supported by the recent news of EasyJet's cyber breach which led to the personal data of 9 million customers being exposed, with investigations seeming to continue despite ongoing lockdown conditions. Discussing the matter, an ICO spokesperson said, "People have a right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary."
As news currently stands, EasyJet could face a potential fine of £18 billion, with customers receiving up to £2,000 each if the claim is successful.
Looking to Improve Your Data Protection?
With targeted phishing attacks only increasing in response to current concerns around COVID-19, protecting your business data is more important than ever before. Below we have highlighted some industry-leading technology that can drastically improve the security of your confidential data.
Security Awareness Training
Barracuda Phishline is a security awareness training and phishing simulation solution designed to protect your organisation against targeted phishing attacks. PhishLine trains employees through continuous courses to understand the latest social engineering phishing techniques, recognise subtle phishing clues, and prevent email fraud, data loss, and brand damage.
Smart Inbox Defence
By self-learning your businesses unique communication patterns, Barracuda Sentinel detects sophisticated attacks from both internal and external sources in real time. Upon detection, the service recognises any behavioural anomalies within your Office 365 environment and prevents malicious content infiltrating user inboxes. Best of all - all of this is done with virtually no IT administration.
Barracuda Cloud-to-Cloud Backup provides comprehensive, cost-effective, scalable protection for your Office 365 data. It automatically backs up all your email, OneDrive for Business, SharePoint, and Microsoft Teams data to Barracuda Cloud Storage - and when time is of the essence, restoring what you need takes just a few clicks.