back to article Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

More than a hundred firms have been fined for failing to pay fees that the UK's overstretched data protection watchdog needs to feather its nest. Since May, data controllers – orgs that define how and why personal data is processed – have been required to pay higher fees to the Information Commissioner's Office. If they don’t …

  1. A.P. Veening

    Fee and fine structure

    Is it just me, or should the fine for the largest companies be 29,000 instead of 4,000? For smaller companies the fine is ten times the fee, for the largest less than 1.5 times. This does not compute.

  2. Pascal Monett Silver badge
    Trollface

    a "robust collection process"

    It seems that the "robust process" would work much better if it was 2.15 meters high and 150 kilos, with extensive prior experience in Russia.

    1. Wellyboot Silver badge
      Happy

      Re: a "robust collection process"

      So a retirement job for ex Mi6 bods?

      On a serious note, if they aren't bothering to pay the registration fees how about a sudden audit to make sure they aren't skimping on anything else data related. Make the audit cost a fine so bigger and/or sloppier outfits get hit in proportion.

      1. phuzz Silver badge

        Re: a "robust collection process"

        "a sudden audit to make sure they aren't skimping on anything else data related"

        Check their accounts too, if they're slacking in one area they're probably slacking in others too.

  3. Mixedbag

    Not sure that its been well publicised

    I 'm suspecting that a high number of these are because people simply didn't know they needed to, thinking that GDPR removed the need to do so.

    However a new bit of regulation "Data Protection (Charges and Information) Regulations 2018" created a new fee to replace the one lost by the superseeding Data Protection Act 1998.

  4. ElNumbre

    Mafiosa

    "Pay us a protection fee to help you manage your GDPR" or we break your business ankles.

    I didn't realise there was an ICO tax.

    1. James 51 Silver badge
      Joke

      Re: Mafiosa

      @EINumbre Mafiosa, is that a spell from the new Harry Potter movie?

    2. hmv

      Re: Mafiosa

      So you're expecting the ICO to work for free are you?

      1. Anonymous Coward
        Anonymous Coward

        Re: Mafiosa

        No one expects the ICO.

    3. Primus Secundus Tertius Silver badge

      Re: Mafiosa

      @ElNumbre

      I was about to ask: should "…failed to pay data protection fee" read as "failed to pay protection money"?

  5. alain williams Silver badge

    Not paying the ICO is NOT the problem

    Yes: those that don't pay should be fined but the real problems are:

    * web sites that pre-tick consent boxes to receive junk mail, etc

    * shops/... that demand personal information that is not needed to complete the purchase, eg: a theatre recently refused to sell me tickets that I was buying in person unless I gave an address; shops that insist on an email address; ...

    * organisations that share personal information when they should not

    * web sites that send spam in spite of the 'want spam' check box being unticked

    Little point in making a complaint about these to the ICO, they won't do anything.

    1. Oddlegs

      Re: Not paying the ICO is NOT the problem

      Have you actually tried making a complaint to the ICO? I did once about an estate agent who wouldn't stop contacting me. They were very helpful and I never heard from the estate agent again.

      As long as no one complains because they assume nothing will change then guess what, nothing will change!

      1. alain williams Silver badge

        Re: Not paying the ICO is NOT the problem

        Have you actually tried making a complaint to the ICO?

        Yes: several times. Best simile: chocolate teapot

      2. Dajve_Bloke

        Re: Not paying the ICO is NOT the problem

        > Have you actually tried making a complaint to the ICO?

        Yes. I was affected by the Experian data breach and sent a fairly extensive (and polite) missive requesting what enforcement action would be taken against them. Buggers couldn't be bothered to respond.

        So I will concur with the previous poster who claimed they were of little use.

        1. Oddlegs

          Re: Not paying the ICO is NOT the problem

          The Experian data breach affected 15M UK individuals. Did you expect the ICO to respond to each of them personally? Did you really think your 'extensive' missive was telling them anything they didn't already know?

          While it might have been polite to at least acknowledge your message the ICO's response to the breach has been very well publicised.

          1. Dajve_Bloke

            Re: Not paying the ICO is NOT the problem

            > The Experian data breach affected 15M UK individuals. Did you expect the ICO to respond to each of them personally?

            Don't be absurd.

            > Did you really think your 'extensive' missive was telling them anything they didn't already know?

            I pointed out a few cases where neither their guidance nor the letters from Experian missed important points. I'm nowhere near exceptional enough that this would only have affected me, but presumably a decent proportion of the 15M who had been hit. Points that at least could have been addressed via a website update, hardly an onerous exercise.

            The possibility remains that the ICO were too busy investigating Experian to respond, which would be fair enough. Except that there's been very little follow-up on this particular data breach, whereas much more recent ones have already resulted in fines. It's still possible there's an ongoing saga that can't be alluded to lest it prejudice any legal action, but I'm not holding my breath.

            So in conclusion, from my experience of this particular incident, small sample size and all, I fail to see a single iotum of value that the ICO have added.

      3. devTrail

        Re: Not paying the ICO is NOT the problem

        "Have you actually tried making a complaint to the ICO?"

        Yes. Recruitment agency holding my CV without my consent, I don't even know how they got it. It's even possible they were even interfering with a job application by claiming I was under contract with them. Unfortunately recruitment agencies are a big mafia like business that from the UK control the European market for contractors, they are untouchable and ICO refused to take an action.

      4. SGJ

        Re: Not paying the ICO is NOT the problem

        I complained about my local MP who had admitted on Twitter that she regularly shared login details to her office systems with everybody, including office interns, and received a very prompt reply!

    2. N2 Silver badge

      Re: Not paying the ICO is NOT the problem

      I agree entirely

      But it would involve doing something instead of running a one line queery & pressing fine, whoops I meant print.

    3. The Nazz Silver badge

      Re: Not paying the ICO is NOT the problem

      re Theatre tickets, and other matters.

      Pay by CASH. Keep the receipt.

      When they ask for a name and address simply make one up. Or use the M-i-L's.

      If everyone did it, the "spammers" would have so much useless data, it may cause them to lose heart. Especially if they spoke to the M-i-L.

      1. devTrail

        Re: Not paying the ICO is NOT the problem

        "When they ask for a name and address simply make one up"

        If you give a fake addrees you turn yourself from the victim into the guilty one. At the extreme you could be labelled as fraudster, why should you do that? The theather asking for you address is commiting an abuse, shun them, boycott them, but don't harm yourself for something that is not necessary.

  6. bungle42
    Facepalm

    Ironic?

    Wouldn't it be ironic if the ICO was one of the companies that failed to register?

  7. Frank Bitterlich
    Thumb Down

    The other way around?

    So, if you register as a data processor, submit to audits, do everything right, then you have to pay the ICO.

    If you fail to do all that, you get slapped on the wrist, and a stern warning.

    How about making those companies and individuals pay for the ICO which are the actual reason why an ICO is needed in the first place? 1£ per customer record lost, 50p for every spam email sent, oh and 10£ per illegal nuisance call. Wouldn't the whole problem just go away then?

    Or, keep the current system, but with a money-back guarantee. Being affected by one violation of the DP rules (domestic, within the reach of the ICO) and you get your money back.

    The way it is now is more like a protection racket than a just fee.

  8. StuntMisanthrope Bronze badge

    Do not pass the buck, collect information.

    The problem with outsourcing data collection, is that a brute force attack, can’t be trusted to either hit the mark nor provide accuracy, especially today.

    It’s often applied by the inexperienced, in an attempt to shortcut a badly designed process in an attempt for quick enrichment, though in the long-term always proves costly and results in complaint. #utilitycompany

  9. davenewman

    Waiting for their renewal invoice

    An organisation I am involved with was due to renew registration in September. We didn't receive any renewal notice or information on how to pay. The ICO has simply dropped us off the list of registered organisations. I send an email enquiring. Still waiting for a reply.

    1. Anonymous Coward
      Anonymous Coward

      Re: Waiting for their renewal invoice

      Still waiting for a reply.

      The fine is in the post.

      That's the thing, ignorance is not a defence. Why did this organisation assume that a statutory registration fee was somehow like a recurring item for which you got a regular invoice? I work for a regulated business. We know that we won't get a polite, timely invoice. And we also know that our sector regulator is a bunch of business-hating, public sector, sandal-wearing communists. This means we pay our fees promptly, if unwillingly.

      1. devTrail

        Re: Waiting for their renewal invoice

        "And we also know that our sector regulator is a bunch of business-hating, public sector, sandal-wearing communists."

        Naaa. They are just safe jobs for people with friends in the right place. Then their purpose is just to pay lip service and not disturb friendly businesses.

  10. Richard Jukes

    We are registered nut I'm sure we are exempted. We only process data for our accounts and internal paperwork. But considering its 60 quid it's not worth the hassle.

  11. Bedmanager

    No foresight

    I fundamentally agree with the reasons and sanctions coming from the GDPR (and our version, the DPA 2018). I'm a data subject, too, and I want spammers and whoever to fear using my data illegally.

    Where I have a problem is with people trying to defend the ICO when the ICO had the same two years - probably more - to prepare for the incoming law and are now being seen for the incompetents they actually are.

    We have a regulator whose job description includes the 57 (1)(a) requirement to "monitor and enforce the application of this Regulation" and the Art. 57 (1)(d) requirement to "promote the awareness of controllers and processors of their obligations under this Regulation" - both of which are apparently not happening.

    We get a radio ad campaign in the month leading up to May 25th and not a fat lot else since. I know that radio air time costs money, but they should have been lobbying for funding to pursue this.

    We've had the raid on the Cambridge Analytica offices, with 'enforcement' (intentional quotes) officers apparent with their flashy ICO jackets with "ENFORCEMENT" emblazoned across their back. At this point, one can only presume that ICO stands for "Interesting Coat Outfitters" because - in terms of GDPR - they've done nothing other than flash a couple of windcheaters...

    If a data subject complains about a company, a quick review of the company's privacy notice would show the extent to which the company has sought to abide by the regulation. A bad privacy notice should lead to an email advising the company that they are on an list for impending audit. That might focus attention more.

    They had at least two years to prepare.

    1. I_am_not_a_number

      Re: No foresight

      Apologies for the brevity, not intended to be blunt...

      Assuming I've not misunderstood:

      "ICO stands for "Interesting Coat Outfitters" they've done nothing other than flash a couple of windcheaters..."

      Would you count fines & prison sentence in one case as "nothing"?

      https://ico.org.uk/action-weve-taken/enforcement/

      "requirement to "promote the awareness of controllers and processors of their obligations under this Regulation" - both of which are apparently not happening."

      Do Youtube, LinkedIn, Facebook & Twitter count?

      https://www.youtube.com/user/icocomms

      https://www.linkedin.com/company/information-commissioner's-office/

      https://twitter.com/ICOnews?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

      https://www.facebook.com/ICOnews

  12. Maelstorm Bronze badge
    WTF?

    WTF?

    If this ICO is supposed to be a regulatory body, then why isn't it being funded by the government? Here in the U.S., a regulatory body is funded from the government, and its funding is budgeted. There are taxes (sales tax, income tax) and fees, but nothing like the structure of the ICO in the U.K.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019