The data protection watchdog the ICO’s response times are not where they want them to be, the regulator has admitted.
The ICO said that declining performance was primarily due to high demand for services running alongside a reduced capacity. It said that it expects performance to ‘continue to slide’ until it’s in a position to roll out ‘significant digital and process changes’; namely automating the case creation process.
An ICO spokesperson said: “We are committed to getting back to meeting our target of responding to 80 per cent of complaints within 90 days and are introducing several initiatives over the coming months that we believe will help us to achieve this. This includes recruiting 19 staff to help us deal with the ongoing increase in complaints that we are seeing each month. For context, from October to December 2024, we received 746 more complaints compared to the same period in 2023.
“We are also exploring how we can improve our processes by using automated tools. For example, we are currently testing options that can simplify or speed up certain administrative tasks so that case officers can spend more time on the complaint itself.
“We want to thank people for their patience while we address this issue. Our frontline staff continue to work hard to respond to all complaints and we are confident that our approach will bring about the necessary improvements. Please be assured that we continue to triage cases and prioritise those that urgently need attention.”
Comment
Dr Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said: “Unfortunately, the situation is similar for many Data Protection Agencies (DPAs) in the EU, as well as in other jurisdictions with comprehensive data protection regimes. While the EU pioneered personal data protection by enacting GDPR in 2018, some operational aspects of the legislation were not properly designed. As a result, national DPAs are frequently understaffed and underfunded, but flooded with the ballooning number of complaints.
“Eventually, DPAs are compelled to selectively prioritize their work in view of the limited resources, leaving minor infringements without due attention. This alarming trend encourages organizations to further neglect compliance with data protection laws and regulations, knowing that small cases will unlikely get a lot of regulatory attention. Worse, taking minor cases to court is often just a waste of money, and very few individuals will ever do this.
To ensure a consistent, invariable and equitable investigation and remediation of data protection violations, EU states and the UK should consider allocating additional funds to their national DPAs to be commensurable with the volume and complexity of incoming complaints, he added. “Otherwise, toothless enforcement regimes merely invite more violations of data protection law.”
