The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
In the last quarter of 2024, the Information Commissioner’s Office (ICO) responded to just 12% of complaints within 90 days, figures show, well down on its 80% target.
The figure was 65% at the beginning of last year, and has been dropping steadily since the fourth quarter of 2023, when it was 88%.
"Anyone who has felt the need to make a complaint to us deserves a timely response. Our current response times are not where we want them to be, and we know how frustrating this is for people who are asking for our help," said a spokesperson.
"We want to thank people for their patience while we address this issue. Our frontline staff continue to work hard to respond to all complaints and we are confident that our approach will bring about the necessary improvements. Please be assured that we continue to triage cases and prioritize those that urgently need attention."
A key factor in sluggish response rates were rising workloads, according to the ICO. The data protection watchdog said it received more than 10,000 complaints in the final quarter of 2024 - 746 more than in the same period a year earlier.
To deal with the backlog, it's recruiting another 19 staff. The watchdog also revealed it’s testing automated tools aimed at simplifying or speeding up various administrative tasks, allowing case officers to spend more time on the complaint itself.
However, it warned, things are likely to get worse before they get better.
ICO woes reflected across Europe
Data protection authorities across Europe are facing a similar rise in workloads as the number of complaints skyrockets. Research from the EU Agency for Fundamental Rights last summer concluded they've been facing an ever-mounting workload since the introduction of the GDPR, with limited staff and inadequate funding. Much of this workload comes from minor complaints.
Dr Ilia Kolochenko, CEO at ImmuniWeb and a fellow at the British Computer Society (BCS), said these issues highlight the fact that some operational aspects of the legislation “were not properly designed”.
“National DPAs are frequently understaffed and underfunded, but flooded with the ballooning number of complaints," Kolochenko commented.
This, he added, means the authorities are forced to prioritize major cases and that taking minor cases to court is often just a waste of money. This then results in organizations adopting lax approaches to compliance.
"In order to ensure a consistent, invariable and equitable investigation and remediation of data protection violations, both EU states and the UK should consider allocating additional funds to their national DPAs to be commensurable with the volume and complexity of incoming complaints," he said.
"Otherwise, toothless enforcement regimes merely invite more violations of data protection law."
MORE FROM ITPRO
- NHS supplier hit with £3m fine for security failings that led to attack
- Information Commissioner John Edwards calls on firms to beef up support for data breach victims
- ICO threatens enforcement action against websites with 'harmful' cookie banners
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
-
Data for 120 army recruits found on the dark webNews The website, run jointly with Capita, has been offline since mid-March as MoD assesses the scope of the breach
