Although 28 companies can do nothing about this now!
I’ve written about the ICO and the damage a complaint to them can have.
They have the power to fine you up to £4 million for breaches of data protection, although most companies will never see a fine anywhere near this.
But there are other more important reasons to avoid coming on their radar.
The first is the adverse publicity and reputational damage an investigation can cause. Appearing on its website and in the media can cause a loss of respect and goodwill for a company, even if there is no fine.
The second is the disruption and stress caused by an investigation. The ICO will look at all your data processes, not just the one complained about, which can lead to some uncomfortable truths that may have been hidden, whether deliberately or not. A number of companies failed to comply with the TPS and have been shown to be less than trustworthy, demonstrating that they are not companies to do business with.
The third reason is that the reprimands issued by the ICO are now listed on its website. These more informal investigations were previously confidential, but the ICO will publish these on their website unless there is a good reason not to, for example, the cases include issues of national security.
The change in strategic approach is to make the ICO more transparent. The Information Commissioner has said: “Members of the public, and those affected by a breach or infringement, are entitled to know that we have held the business or organisation to account, and that they have changed their practices as a result.”
Those issued with a reprimand may be more minded to comply with its terms if they know their progress will be public, and other organisations can learn from these cases to improve their own data handling.
This move seems reasonable to me, although I am not sure the 28 organisations issued with a reprimand in 2022 will agree as they will now be on the new Reprimands webpage as the ICO has decided to backdate this action to 1st January 2022!
Personally, I would feel a little miffed as these investigations were started under confidential arrangements, but now all of this is public knowledge.
Yet another reason to avoid coming to the ICO’s attention if you needed any more. I appreciate it can be difficult to keep all those plates spinning throughout your data protection processes,