Look out: That data protection watchdog can bite

Despite all the furores, calamities and Snowden-related shenanigans of recent years, the UK’s privacy watchdog remains something of a pussycat, and a lean one at that.

Granted powers in April 2010 to fine firms £500,000 for breaches of the various laws it covers, the Information Commissioner’s Office (ICO) has flexed its mini-muscles 60 times, imposing 51 penalties for serious breaches of the Data Protection Act and nine for offences under the Privacy and Electronic Communications Regulations, which cover electronic marketing like those pesky PPI calls and texts.

But the ICO is not happy with the the status quo. It doesn’t keep any of the money from those fines, which goes straight back to Osborne and co at HM Treasury. At the same time as its funding from the Ministry of Justice (MoJ) is being cut, its workload is increasing.

In its annual report released in July, the regulator revealed a 10 per cent jump in both the number of calls it handled (259,903) and data protection complaints it resolved (15,492).

And the ICO is facing another quandary: it may have to find a new source of funds if the bureaucrats in Brussels finally push through the data protection reforms they have been chewing over for the last few years.

Previous drafts of the bill have included a provision that would prevent the ICO from keeping the annual notification fees that all data controllers have to cough up.

Lobbying is under way by the ICO’s top dogs. “I look to Parliament to strengthen the commissioner’s powers, to enable the adequate resourcing of the Office and to guarantee the commissioner’s independence,” says commissioner Christopher Graham.

The commissioner has also said the ICO is in discussion with the MoJ over changing its funding model to include an information rights levy. As yet there is little indication of how this levy would work.

“It seems that any levy will essentially replace the notification fee as data processors will be required to contribute, but the MoJ would still be required to make up any shortfall in funding,” says Hazel Grant, partner at the privacy and information practice at law firm Fieldfisher.

An ICO spokesperson says: “Essentially the levy provides a way to combine our Freedom of Information and Data Protection Act resources so that we are able to choose what we spend our money on.” So far there has been “no further progress on this proposal”.

The money problems are hindering the ICO from becoming what it wants to be: a beefier, tougher, independent privacy regulator.

“It is limited in what it can do regarding enforcement,” says Neil Thacker, information security and strategy officer for Websense in EMEA.

He thinks the ICO is like David fighting a Goliath made up of huge enterprises. He says many organisations he works with don’t believe they will be targeted by the watchdog and are happy to take a fine if the worst happens.

“It seems more focused on the admin side than on enforcement. That seems to be the feeling about the ICO,” adds Thacker.

Penalty decisions

Although the ICO is far from self-sufficient, it still has just enough power to cause concern for security professionals at UK organisations, especially those in the public sector. The regulator has handed the majority of its fines to government bodies, with local councils and the NHS hit hardest.

The punishment of public sector has brought the ICO grief from groups that have publicly fought with the regulator to have fines rescinded and critics who claim private firms are receiving lighter-touch regulation.

Grant believes this is partly because public-sector organisations are obliged to disclose data breaches (the EU data protection laws may make this mandatory for everyone) and they often hold more sensitive information than private firms.

And the ICO has not been overly shy about hunting those it believes have committed egregious errors. Sony became the biggest private-sector name on the ICO hit list when it was lumped with a £250,000 fine in January last year.

The European data protection laws, though not finalised, should give the ICO powers to hand out bigger penalties to organisations in all industries. Previous drafts have included rules that would allow EU member states to fine as much as five per cent of global turnover.

Whatever happens, the heightened focus on privacy issues, a tougher regulatory framework handed down by the European Commission and an increasingly frustrated ICO should bring about tectonic shifts in the UK data protection landscape in the coming years. The ICO should have sharper teeth and is likely to bite more often.

“I sympathise with the ICO. People have criticised it for attacking the public sector, but over time we will see more attention given to the private sector because it is good practice. The ICO will be more active,” says Grant.

Knowledge of the law

The question CISOs have to ask themselves is this: how should the business alter its information security strategy to face the changes and the current laws?

Getting to grips with the demands of the Data Protection Act and the nuances of the ICO’s enforcement of the law are an obvious place to start. The first part would not appear too difficult; it is simply a matter of reading the law and deciding what coverage is necessary.

But making business decisions based on the behaviour of the ICO is far more slippery, according to Stewart Room, a partner in PwC’s cyber and data security division.

“The high-level focus and priorities of data protection regulators will be clear to anyone who invests a little time in understanding their agenda and motives. The macro issues that arise on the face of legislation, which are well understood, include data security, global movement of data, sharing and disclosures,” he says.

“It's the micro issues that need to be understood and addressed. These are revealed by the regulatory guidance, press releases and decisions in enforcement actions.

“My advice to CIOs is invest time to understand the micro issues. That will always have a good return on investment because you will focus on what really matters in a regulatory sense. That can often be very different to what you instinctively feel is most important.”

"Organisations need to see the value of scenario-based risk assessments”

The ICO, for all its resource limitations, does push out frequent pieces of advice for businesses, which can be found here. Thacker recommends that security chiefs work with data protection and privacy officers to initiate a “triage” process to determine what bits of the ICO guidance matter. Such reviews will be more critical when legal changes are enacted.

“If we’re talking about privacy, organisations need to see the value of scenario-based risk assessments,” says Stephen Babb, vice president of ISACA

“Consider the most relevant privacy scenarios that your organisation is faced with, which will depend on the nature of the services you’re offering and the sensitivity of the data you’re collecting, and conduct a risk assessment against those scenarios.

“Link those back to your business objectives as well. That means business outcomes from privacy or security issues can be played back to the board in business terms.”

As with all privacy and security projects, getting the board onside can bring manifold benefits, whether that’s proving IT’s value to the business or getting more funding to avoid the tentacles of the ICO.

Currently, few security chiefs are getting the backing they desire. In a survey of  391 IT and security practitioners in the UK carried out by the Ponemon Institute on behalf of Websense, only 42 per cent said their companies invested enough in skilled personnel and technologies to achieve their cyber objectives.

“While the CIO or the CISO may be given the lead to respond on privacy, I think what is vital is they secure commitment and support at a board level in order for them to be set up at a business level,” adds Babb.

“If there is a privacy breach, it will potentially have a negative impact on the entire organisation. Based on the findings, it may be that the priorities have to change to make sure necessary investment is spent on the areas of greatest risk.

“Specific regulation would give you that direction, that understanding of where you need to put in specific measures and controls to respond effectively.”

Long road to Brussels

With so much to take on board, IT teams could be forgiven for panicking. But they have time to get ready. In Brussels, no one knows when the directive and regulation, formally proposed back in January 2012, will actually go through.

Grant admits that her own predictions have been wrong but says there is something of a consensus that the final drafts of will be agreed towards the end of 2015. It will take at least another two years for the laws to be implemented across member states. “It is likely to come into force years later,” she says.

Not that everyone will panic over the legal reboot – one that, thanks to hefty lobbying from tech giants and governments alike, might be considerably weaker than originally planned.

In drawing together their security plans, businesses often decide not to focus too much on regulation and instead think about business aims instead.

This might be a significant reason why so many say they are not confident about their compliance. More than three quarters of respondents in a survey of 1,500 office workers polled by Sophos in the UK, France and Germany said they were not confident they were in line with their respective data protection regulation.

Astonishingly, almost half said either their employers had not told them about a data protection policy, or there simply wasn’t one. More encouragingly, 84 per cent said Europe could do with tougher data protection laws.

“The ICO is probably not in businesses’ minds when they are choosing their security strategy,” says Thacker.

As Babb notes, the motivation of CISOs should be “to do the right thing and regulation should not always be a driver”.

For now, the ICO remains a rather tame beast in the eyes of those behemoth businesses that barely notice when the regulator demands a couple of hundred thousand in recompense for a screwup. Expect those firms to continue play to their own tune if and when the watchdog becomes more like a vulpine creature than a yapping whelp.

Whether new regulations cause many to change their ways or not, they will lead to the expectation of security professionals to do a better job of protecting people’s information.

“One of the challenges we have, not just in the UK but globally, is that the visibility of CIOs and CISOs is increasing, and they might not always want that. But the current threats and the number of breaches are really driving forward their accountability,” says Babb.

A CISO’s life is arduous and it is set to get tougher as people demand more privacy. The motto of those who succeed will be along the following lines: in hard times, it’s time to shine. ®