It should fine itself the maximum amount possible...
...it'll go into it's coffers nicely and show the big boys it means business ha ha.
The UK's data protection regulator has failed to follow its own advice, admitting a privacy notice for its own staffers – one of its key recommendations for GDPR compliance – remains "under construction". As part of the General Data Protection Regulation, individuals have the "right to be informed", which means they should be …
I don't think the ICO understands GDPR. I complained about Three giving my data to 'market research third parties' and the ICO say that if I'm a customer of Three, I have implicitly given my permission for Three to share my data with anyone. Whereas I contend that I only signed up (over 10 years ago) for my data to be used for the purposes of billing. I really thought the point of GDPR was to move consent from implicit to explicit.
Indeed, in fact it's exactly that sort of situation that GDPR is supposed to restrict. Personal data should only be used for the purposes it was given, and not shared with marketing/advertising third parties. Otherwise Cambridge Analytica occurs and democracy is broken (among other unpleasant results).
don't think the ICO understands GDPR
It depends on who you speak to. However, even when they do understand it, they're not keen to enforce it. I attempted to follow up an unanswered GDPR request and (after an exchange of impenetrable correspondence where they cut and paste loads of boilerplate text and put the crucial specific information so far down you give up the will to live before reading it) it seems that if you don't get a reply within the statutory period, the ICO won't pursue it unless you can demonstrate that you've made a second attempt to contact the organisation concerned once they've failed to comply with the law...
However, compliance seems to be so woeful in general, I suppose they can't pursue everything. Chicken meet egg...
i had a conversation with a member of staff from the ICO pre-GDPR. This was after waiting for three weeks to get a call back from their advice team.
The call was ridiculous, the member of staff took on a completely patronising tone of voice (I presume that usually works?!) but did not actually answer my questions and even got the principle of data protection wrong. He stated that data should be held in a database to ensure that it can be secured properly, when the point of data protection is that due to the risks of holding data in a database it needs special protection and that it is preferable to not hold that data in the first place.
Here's a good one - guess which organisation deleted their own DPA1998 Register of Data Controllers in 2018 when GDPR came into force, irreparably prejudicing thousands of data subjects' DPA1998 legal cases still running through the courts and denying them legal recourse for DPA1998 infringements?
Yep, our very own dimwitted data police.
Hell, if you're a data criminal looking to infringe GDPR, it's probably worth registering just for that kind of protection from the law. The only people the ICO actually pursues are the ones that don't pay the 'data protection fees'.
Oh hai Facebook, Cambridge Analytica etc.
For someone to contest a penalty notice on the basis that the administration in charge of distributing penalties not being correctly informed of the details of doing so, and thus the fact that the ICO holding details of the entity being penalised actually in breach of regulations, like a police find where someone forgot to fill in the officers name, number or signature causing it to be invalid.
At least they will clear up their internal act in about 1 working say - If they ever get around to enforcing any penalties in the first place...