Data protection authorities 'facing considerable resource challenges' due to digital boom

Speaking on a European Parliament data privacy panel, ICO's Hannah McCausland argued organisations must take responsibility over data - and IBM agree

Data protection authorities are facing a "considerable resource challenge" due to the rise of internet-connected devices and the ways in which organisations want to collect the personal information of consumers.

That's according to Hannah McCausland, senior international policy officer at the Information Commissioner's Office (ICO), who issued the warning during a personal data protection panel discussion hosted by the European Parliament Information Office in the United Kingdom.

Her comments come shortly after an ICO report warned how three-quarters of people are concerned that businesses don't keep their data secure.

"In terms of the enforcement mechanisms, looking to the future, I think that is really, really important and data protection authorities are going to need adequate resources to be able to effectively enforce the rules," McCausland told the audience at Europe House.

Currently, the European Commission's Article 29 Data Protection Working Party, which was set up in 1995 to ensure "the protection of individuals with regard to the processing of personal data" is working on a new, updated version of the directive. The body has previously warned how the Internet of Things will require new forms of consent.

McCausland argued that the boom in internet-connected devices and the sheer amount of data transmitted today means it's becoming difficult for authorities to keep up.

"I think data protection in all countries - and I know other members of the Article 29 Working Party would agree with me - are facing considerable resource challenges in light of the explosion of the digital environment and all of the new challenges which we're facing in our digital society today," she said.

McCausland went on to stress how organisations must ensure they keep data secure.

"In terms of how we can effectively input into all of the changes which are ongoing in our society, it can't be down to the regulators to take sole responsibility here," she said.

"It has to be down to organisations - both in the public and in the private sectors - because there are data breaches happening all over the place in both of those sectors," McCausland continued.

"And that is really where the accountability principle has been embedded into the Commission proposals and everybody needs to play their part in upholding and safeguarding individual's rights to data protection," she added.

McCausland's remarks echoed earlier comments from fellow panellist Richard Ward, responsible for government relations at IBM, who argued that organisations that want to collect personal data must convince consumers that they can be trusted to do so.

"Businesses who want to use your data have to convince you that they are trustworthy guardians of your data and will deal with it in an ethical way," he said.

"I don't think regulation itself will deliver that and it's down to companies and the way that they treat your data to convince you that's the case. We see examples today of companies who can do that quite successfully; equally, we see examples of companies which don't," Ward continued.

"I think, in terms of where we go from here, we should be expecting industry to do a lot more work around protecting your personal data," he concluded.

The ICO regularly fines organisations which suffer data breaches, but McCausland insisted that it always considers a range of options before taking action.

"Fines are certainly part of the toolbox of an effective regulator. We don't solely operate on the basis of fines as a policy at present, we have a range of options available to us as a regulator," she explained. "We've just been permitted to do compulsory audits in the NHS in the last few weeks."

However, looking to the future, McCausland argued that the ICO - and other regulators - will need more flexibility in terms of what fines and punishments they can hand down.

"I think what we really need as regulators is a degree of flexibility to decide whether a fine is appropriate in a certain case," she said.

"It's not automatically the case that you're going to get a fine of X percentage of your global turnover when you commit a data breach in a certain way, we still need that flexibility," McCausland concluded.