Firms shun ICO's free data-protection health check

Firms shun ICO's free data-protection health check

Summary: Even though businesses are the source of one-third of data breach incidents, companies have proved unwilling to undergo free data protection audits offered by the UK's privacy watchdog

TOPICS: Security

British businesses are refusing an offer to have their data-protection measures checked, even after arousing the interest of the Information Commissioner's Office.

Read this

ICO publishes advice on cookie law

Businesses should gain consent before placing cookies on customers' computers, according to new advice from the Information Commissioner's Office

Read more+

Only 19 percent of companies contacted by the UK's privacy watchdog accepted the offer of a free data-protection audit, information commissioner Christopher Graham said on Wednesday. By comparison, 71 percent of public-sector organisations, which must report breaches by law, agreed to the inspection.

"I don't know what it is that's so scary about the information commissioner," Graham told ZDNet UK. "I've got some quite scary powers, but if I'm invited to an audit and find something very wrong, it's added to a list for the data controller to address. If you invite us in, we don't turn around and say, 'We've found this, here's a civil monetary penalty'."

The ICO offers the audit if it receives complaints about an organisation, or if the company reports a data breach. Once the assessment has been carried out, the ICO gives the business advice on how it can improve data security, and performs another audit a year later. If the business has taken no action after a year, it may open itself up to a fine of up to £500,000.

"Lenders, general businesses and direct-marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year," Graham said in a webcast earlier on Wednesday. "Businesses need to show more willingness to undergo data-protection audits."

Over the past year, companies have voluntarily reported 186 data leaks to the ICO, compared with an overall total of 603 incidents reported. This figure includes both the private and public sectors, and covers data breaches that were reported either voluntarily by organisations or by others.

Businesses need to show more willingness to undergo data-protection audits.

– Christopher Graham, ICO

Businesses are currently under no obligation to tell the authority if they have suffered a data breach, though the European Commission is looking to introduce a law compelling firms to tell customers if their data is exposed.

"It would... create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures," EU justice and rights commissioner Viviane Reding said in June.

The information commissioner has direct input into the overhaul of European data protection law through the Article 29 Working Party. Graham told ZDNet UK that the ICO has argued that data breach notification could result in a large number of reports of minor incidents.

"We don't relish the idea of the ICO being overcome by an avalanche of data breach reports, and processing minor data breaches, just because a directive said that will happen," said Graham.

The ICO brought out its annual report on Wednesday. The report showed that lenders topped the number of data-protection complaints over the period, followed by general business and direct marketing.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • If the recent round hacking is anything to go by, the reason why they will not let you in is because many of them know there security precautions are crap and they have not intention of spending money on improving it until they have to. ICO should be made mandatory. An recording data breaches should also be made mandatory.