Firms shun ICO's free data-protection health check

Even though businesses are the source of one-third of data breach incidents, companies have proved unwilling to undergo free data protection audits offered by the UK's privacy watchdog
Written by Tom Espiner, Contributor

British businesses are refusing an offer to have their data-protection measures checked, even after arousing the interest of the Information Commissioner's Office.

Only 19 percent of companies contacted by the UK's privacy watchdog accepted the offer of a free data-protection audit, information commissioner Christopher Graham said on Wednesday. By comparison, 71 percent of public-sector organisations, which must report breaches by law, agreed to the inspection.

"I don't know what it is that's so scary about the information commissioner," Graham told ZDNet UK. "I've got some quite scary powers, but if I'm invited to an audit and find something very wrong, it's added to a list for the data controller to address. If you invite us in, we don't turn around and say, 'We've found this, here's a civil monetary penalty'."

The ICO offers the audit if it receives complaints about an organisation, or if the company reports a data breach. Once the assessment has been carried out, the ICO gives the business advice on how it can improve data security, and performs another audit a year later. If the business has taken no action after a year, it may open itself up to a fine of up to £500,000.

"Lenders, general businesses and direct-marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year," Graham said in a webcast earlier on Wednesday. "Businesses need to show more willingness to undergo data-protection audits."

Over the past year, companies have voluntarily reported 186 data leaks to the ICO, compared with an overall total of 603 incidents reported. This figure includes both the private and public sectors, and covers data breaches that were reported either voluntarily by organisations or by others.

Businesses need to show more willingness to undergo data-protection audits.
– Christopher Graham, ICO

Businesses are currently under no obligation to tell the authority if they have suffered a data breach, though the European Commission is looking to introduce a law compelling firms to tell customers if their data is exposed.

"It would... create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures," EU justice and rights commissioner Viviane Reding said in June.

The information commissioner has direct input into the overhaul of European data protection law through the Article 29 Working Party. Graham told ZDNet UK that the ICO has argued that data breach notification could result in a large number of reports of minor incidents.

"We don't relish the idea of the ICO being overcome by an avalanche of data breach reports, and processing minor data breaches, just because a directive said that will happen," said Graham.

The ICO brought out its annual report on Wednesday. The report showed that lenders topped the number of data-protection complaints over the period, followed by general business and direct marketing.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards