ICO admits it’s too slow dealing with complaints – so it’s eying up automation to cut staff workloads

The UK’s data protection authority has apologized for being slow to respond to data protection complaints, saying it’s been overwhelmed by increased workloads.
In the last quarter of 2024, the Information Commissioner’s Office (ICO) responded to just 12% of complaints within 90 days, figures show, well down on its 80% target.
The figure was 65% at the beginning of last year, and has been dropping steadily since the fourth quarter of 2023, when it was 88%.
“Anyone who has felt the need to make a complaint to us deserves a timely response. Our current response times are not where we want them to be, and we know how frustrating this is for people who are asking for our help,” said a spokesperson.
“We want to thank people for their patience while we address this issue. Our frontline staff continue to work hard to respond to all complaints and we are confident that our approach will bring about the necessary improvements. Please be assured that we continue to triage cases and prioritize those that urgently need attention.”
A key factor in sluggish response rates were rising workloads, according to the ICO. The data protection watchdog said it received more than 10,000 complaints in the final quarter of 2024 – 746 more than in the same period a year earlier.
To deal with the backlog, it’s recruiting another 19 staff. The watchdog also revealed it’s testing automated tools aimed at simplifying or speeding up various administrative tasks, allowing case officers to spend more time on the complaint itself.
However, it warned, things are likely to get worse before they get better.
ICO woes reflected across Europe
Data protection authorities across Europe are facing a similar rise in workloads as the number of complaints skyrockets. Research from the EU Agency for Fundamental Rights last summer concluded they’ve been facing an ever-mounting workload since the introduction of the GDPR, with limited staff and inadequate funding. Much of this workload comes from minor complaints.
Dr Ilia Kolochenko, CEO at ImmuniWeb and a fellow at the British Computer Society (BCS), said these issues highlight the fact that some operational aspects of the legislation “were not properly designed”.
“National DPAs are frequently understaffed and underfunded, but flooded with the ballooning number of complaints,” Kolochenko commented.
This, he added, means the authorities are forced to prioritize major cases and that taking minor cases to court is often just a waste of money. This then results in organizations adopting lax approaches to compliance.
“In order to ensure a consistent, invariable and equitable investigation and remediation of data protection violations, both EU states and the UK should consider allocating additional funds to their national DPAs to be commensurable with the volume and complexity of incoming complaints,” he said.
“Otherwise, toothless enforcement regimes merely invite more violations of data protection law.”
MORE FROM ITPRO
TOPICS
Source link