So, you’ve received a ‘scary’ email from the ICO (information Comissioners Office), you now need to consider how you communicate with them after.
Fellow independent GDPR consultant, Adrian Dray and I, were catching up recently and the conversation turned to interactions with regulators, and specifically here in the UK, the ICO for Data Protection matters. Here are some of our shared thoughts.
What communication may the ICO send me?
As a data controller, you hope the only communication you receive from the ICO is the reminder that your annual fee is due for renewal. Anything more is usually met with an immediate sinking feeling that even the most experienced Data Protection Officers still get, particularly if the email is from an ICO Case or Investigations Officer.
Top tip, and an obvious one we know, is don’t ignore their email. An ICO Case Officer typically deals with the initial enquiries side of a complaint received by a customer or staff member, data breach, or other data protection concerns that have appeared on their radar relating to your organisation.
An ICO Case Officer effectively triages the case based on your response and depending on the issue may escalate the matter to the investigations department. Ensuring you acknowledge their initial communication, in a timely, professional and cooperative manner can go a long way – remember they are looking for evidence that the organisation is taking the matter seriously. If the case does escalate to the investigations team, they will be reviewing all of your past communications.
You might be thinking, “Well that’s obvious, of course, I’m not going to ignore their email, it’s the ICO!”.
Whilst it might seem obvious for many of us, the ICO often comment in their enforcement notices (which hopefully you will never receive) on level of cooperation they received from the organisation in question. Through ignoring the ICO or getting the knives out by ‘lawyering up’ from the get-go, those who fare poorly in this area usually receive heavier enforcement action.
We cannot stress enough, the importance of informing the board straight away and documenting this event. It’s easy to feel worried that they will treat you as ‘the boy who cried wolf’, especially if the ICO decide to close the case relating to an incident or complaint quite quickly.
A possible or real incident always provides an organisation with an excellent opportunity to reset their perspective regarding data protection compliance, which must be led from the top if it is to succeed.
What happens if no further investigation is needed by the ICO?
Suppose the matter does require further investigation from the ICO. In that case, presenting documented minutes regarding the organisation’s response to the ICO communication will demonstrate a commitment to accountability – the chief principle of data protection legislation.
It’s also worth understanding that it’s not uncommon for a future buyer of the organisation to ask for all documentation pertaining to ICO cases as part of a merger/acquisitions due diligence exercise.
When any regulatory authority engages, it’s easy for the panic to take over, and it’s understandable why. But it doesn’t need to be, sometimes stepping back, see the bigger picture and knowing your limits is the simplest way to dissolve the panic. If you need to, seek out a data protection consultant with in-depth experience in your sector and recent experience in dealing with the ICO – in most cases, their advice can make all the difference.
Chris Roberts and Adrian Dray.