So much attention has been focused on GDPR and how it might be enforced that it has been easy to forget the ICO still has a job to do in the meantime. Three recent actions show that Elizabeth Denham is not hanging around - and also what her eventual approach to the Regulation might be.
Two of those actions relate to ongoing sagas about the misuse of data by nuisance callers and charities. Perhaps the most significant is the switch of control of the Telephone Preference Service (TPS) away from Ofcom and into the ICO. More than any other aspect of how companies use personal information, it has been the plague of outbound calls and texts - largely driven by rogue companies - that has been annoying consumers. Their MPs and, as a consequence, the regulators, have been getting grief as a result.
TPS is run under licence by the Direct Marketing Association and has statutory force through Privacy and Electronic Communications Regulations (PECR). Notably, directors of companies found to be responsible can be jailed, as of November. That is a power which the ICO has been calling for in response to breaches of the Data Protection Act. It is now able to do more than just impose a monetary penalty - which many dark DM businesses have avoided by going bust and restarting - albeit only in this one domain. But it provides a strong precedent for expanding that power across all of its areas of responsibility.
Charities have experienced a tough time since the tabloid press monstered them over their use of data - and it looks like that experience is still not over. In the second significant move, the ICO penalised the RSPCA and BHF for the way they had been profiling donors in order to maximise income, as well as data matching and selling - all without providing transparent information to those donors about these practices or giving them an opportunity to object.
The defence used by these charities has been that their practices were commonplace in the sector. But that only reveals how far third sector organisations have moved away from an understanding of their supporters and what they have forgotten about the DPA. Not surprisingly, the ICO was unimpressed, although the fines were mitigated to reflect the fact that fundraisers were involved.
However, there is a deeper point to this enforcement action. While showing that adherence to the DPA is essential until GDPR takes over, it also suggests how the ICO will view the need to gain consent to profiling. Clarity, transparency and explicit, informed permission will be looked for and action taken where this is not gained.
A third move by the regulator went relatively unnoticed, but the decision to open a London office focused on lobbying shows how well the ICO understands the centrality of data in the informaton economy. Debates around the use of data and analytics are becoming more frequent in Parliament and the ICO wants to be sure it plays its part.
As long as the office of the Information Commissioner was tucked away in Cheshire, it was easy for the Government to say it had done its job. By moving close to the heart of power in Westminster, the ICO will be on hand to remind those in power that the data protection rights of individuals have to be fought for continually. It is a reminder to business and the data industry that we have a regulator who is serious, active and about to get even busier.