back to article Oops! Almost a year in and ICO staff haven't been handed a GDPR privacy notice yet

The UK's data protection regulator has failed to follow its own advice, admitting a privacy notice for its own staffers – one of its key recommendations for GDPR compliance – remains "under construction". As part of the General Data Protection Regulation, individuals have the "right to be informed", which means they should be …

  1. robidy

    It should fine itself the maximum amount possible...

    ...it'll go into it's coffers nicely and show the big boys it means business ha ha.

    1. DJV Silver badge

      Re: It should fine itself the maximum amount possible...

      Absolutely! Though, to make sure the big boys take it seriously, it should probably fire a few of its own minions (i.e. those that do the actual work) and pay the CEO a fat bonus for implementing and collecting the fine.

  2. Anne-Lise Pasch

    I don't think the ICO understands GDPR. I complained about Three giving my data to 'market research third parties' and the ICO say that if I'm a customer of Three, I have implicitly given my permission for Three to share my data with anyone. Whereas I contend that I only signed up (over 10 years ago) for my data to be used for the purposes of billing. I really thought the point of GDPR was to move consent from implicit to explicit.

    1. Fonant

      Indeed, in fact it's exactly that sort of situation that GDPR is supposed to restrict. Personal data should only be used for the purposes it was given, and not shared with marketing/advertising third parties. Otherwise Cambridge Analytica occurs and democracy is broken (among other unpleasant results).

    2. Warm Braw Silver badge

      don't think the ICO understands GDPR

      It depends on who you speak to. However, even when they do understand it, they're not keen to enforce it. I attempted to follow up an unanswered GDPR request and (after an exchange of impenetrable correspondence where they cut and paste loads of boilerplate text and put the crucial specific information so far down you give up the will to live before reading it) it seems that if you don't get a reply within the statutory period, the ICO won't pursue it unless you can demonstrate that you've made a second attempt to contact the organisation concerned once they've failed to comply with the law...

      However, compliance seems to be so woeful in general, I suppose they can't pursue everything. Chicken meet egg...

      1. steviebuk Silver badge

        Unless it's a big data breach they don't appear to give a shit. Reported something some months ago and their site pretty much stated that. Go to the company first, if you get no joy create a ticket but again they appear to only give a shit if its a large breach and in the papers.

    3. Anonymous Coward
      Anonymous Coward

      i had a conversation with a member of staff from the ICO pre-GDPR. This was after waiting for three weeks to get a call back from their advice team.

      The call was ridiculous, the member of staff took on a completely patronising tone of voice (I presume that usually works?!) but did not actually answer my questions and even got the principle of data protection wrong. He stated that data should be held in a database to ensure that it can be secured properly, when the point of data protection is that due to the risks of holding data in a database it needs special protection and that it is preferable to not hold that data in the first place.

  3. JimmyPage
    FAIL

    Why, it's *almost* ...

    as if they don't take it seriously.

  4. Blockchain commentard
    Facepalm

    Well, I hope this webpage stays up since it should be used as evidence if any *other* organisation gets done by the ICO for not complying with GDPR.

    Egg, meet face.

  5. Trollslayer
    Flame

    Yes Minister

    We should have to make this up.

  6. Anonymous Coward
    Anonymous Coward

    The ICO are utterly useless, not only for enforcement but for data protection themselves

    Here's a good one - guess which organisation deleted their own DPA1998 Register of Data Controllers in 2018 when GDPR came into force, irreparably prejudicing thousands of data subjects' DPA1998 legal cases still running through the courts and denying them legal recourse for DPA1998 infringements?

    Yep, our very own dimwitted data police.

    Hell, if you're a data criminal looking to infringe GDPR, it's probably worth registering just for that kind of protection from the law. The only people the ICO actually pursues are the ones that don't pay the 'data protection fees'.

    Oh hai Facebook, Cambridge Analytica etc.

  7. bpfh
    Devil

    Now waiting...

    For someone to contest a penalty notice on the basis that the administration in charge of distributing penalties not being correctly informed of the details of doing so, and thus the fact that the ICO holding details of the entity being penalised actually in breach of regulations, like a police find where someone forgot to fill in the officers name, number or signature causing it to be invalid.

    At least they will clear up their internal act in about 1 working say - If they ever get around to enforcing any penalties in the first place...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021