Good night and good luck

I know a few people follow this blog, so this post is largely for them, but also for anyone who comes across this blog and enjoys what they find.

I am mothballing this site in advance of closing it altogether. Every blog post is now on my website, and I will continue the same mixture of piss-taking and ICO-baiting over there. The illogicality of having two separate sites with associated costs and confusion has finally become too much, and I have done what turned out to be a limited amount of admin to bring the two together.

Thanks very much for reading the posts, commenting and sharing, and I hope you will continue to do so via my website.

The 2040 Training company website is here: www.2040training.co.uk and you can find the blog under the link marked ‘Mischief

Taking the piss

On page 74 of the Information Commissioner’s newly published Annual Report, you can find the welcome news that the ICO reduced the amount of water in flushing toilets and the timings of auto flushing in urinals. Sadly, the expansion of the organisation’s footprint in Wilmslow, due to swelling numbers of staff, has led to an increase in overall emissions (insert your own joke). There is an abundance of other information about other environmental issues, including paper consumption and car journeys,

Strangely, if you look for information about one of the landmark events of UK Data Protection in 2019 – 2020, there is no sign. In December 2019, the Information Commissioner issued its first ever penalty under the General Data Protection Regulation against a company called Doorstep Dispensaree. Several pages of the report are taken up illustrating “The Year in Summary”, and the only thing mentioned for December is the launch of a consultation about AI. It’s not that the ICO had so many things to report on; one of the highlights for June 2019 was “The Information Commissioner makes a speech at a G20 side event in Tokyo“. Odd that an event which is very much the ‘only invited to the evening do’ of international speaking gigs makes the cut, but the first and so far only UK GDPR fine does not.

There are several reasons for this, I believe, all of which go to the heart of what is wrong with Elizabeth Denham’s disastrous term as Commissioner. The first is Denham’s vanity, mistaking public appearances and headlines for actual achievements. Allied to her Kim Jong Un tendencies is the prioritisation of international work and pet projects over the basics of regulation. Finally, there is a fundamental dishonesty at play – it should be deeply embarrassing for Denham that she hasn’t made a serious attempt to enforce the GDPR in two years. Because it is evidence of this failure, Doorstep Dispensaree (a solid and encouragingly detailed enforcement case that should have been the ICO’s bread and butter during this period) is written out of the story. It didn’t happen.

Most of the report is a soup of meaningless buzzphrases, presumably designed to disguise the hollow nature of what is being described. There have been “deep dive sessions” with the “most significant Digital Economy Stakeholders“, an “Innovation Listening Tour” and an “Innovation Hub”, which the ICO hopes to open up to “innovative organisations” like “catapults” and “incubators“. I think all of this that they’ve had lots of meetings; the outcomes are impossible to identify beyond wonderful “engagement“, a word which appears 22 times (‘penalty‘ appears 4 times).

It is possible to identify a couple of interesting themes. One is the ICO’s determination to support capitalism and The Man. One of the main strategic goals is “enabling innovation and economic growth“, while another is increasing trust and confidence in the way personal data is used. These are not regulatory outcomes, they are economic goals. Actual enforcement of the law is demoted to the fifth out of six goals. The ICO has established a team of people to work on the economic growth agenda, led by a Head of Economic Analysis seconded from an organisation that Wilmslow has decided we don’t need to know the name of.

The other obvious strand is both depressing and familiar, especially to an ICO refugee of such ancient vintage as myself. The joke in the ICO when I was there (2001 – 2002, fact fans) was that it didn’t matter that we never took action because “thinking is doing”, a phrase attributed to Francis Aldhouse, the Deputy Commissioner at the time. Thinking is Doing paralysed the ICO for years, but the spell was broken first by the impossibility of ignoring the cycle of security breaches begun by HMRC’s lost discs, and then by Chris Graham. For all his flaws, Graham revolutionised the ICO by allowing his staff to demolish the shameful FOI backlog and embrace the penalty powers that the lost discs fiasco gifted to Wilmslow.

Thinking is Doing is back. Doorstep Dispensaree (a thing that happened) doesn’t warrant a mention, but the BA and Marriott penalties (things that did not happen) are mentioned approvingly because they “received a large amount of media attention

One of the case studies in the Annual Report covers the ICO’s investigation into Ad Tech. After a flurry of meetings, press releases and agreeable dinners at Cibo, the ICO was supposedly poised to rewrite the internet, but instead, the Executive Director of Shiny Things Simon McDougall promised that whatever they did, ICO would not to spoil the ad industry’s Christmas. Then, when Covid-19 gave him cover, he dropped the whole thing like a stone. McDougall is paid between £115,000 and £120,000 per year, and his contract has been renewed until July 2021, for reasons I cannot begin to understand.

The closer that the report gets to reality rather than Denham’s preoccupations with politics and online harms, the harder it gets to spare her blushes. The report cites 236 instances of “regulatory action“, but it’s really hard to work out what this means. Of that total, just 15 are fines, 7 are enforcement notices, and 8 are assessment notices (i.e. mandatory audits). There are 8 prosecutions and 4 cautions. 54 of the “regulatory actions” are in fact information notices, which do not represent action at all.

An Information Notice is an investigatory tool which might led to action, and might not; in itself, it’s just demanding information. What are the other 139 “regulatory actions“, and why doesn’t the Commissioner what to admit what they are? Has there been a blizzard of warnings and reprimands that are being kept secret? Or, as the inclusion of information notices denotes, is the maths necessary to create the 236 more akin to gymnastics?

The report boasts of ICO intervention in a number of court cases, and happily sets out their successful involvement in the Elgizouli case. It’s a sign of how thin-skinned Denham’s ICO has become that they can’t bring themselves to admit that in the other two cases they cite (the challenges to South Wales Police’s use of facial recognition and the DPA’s immigration exemption), they backed the losing side.

In the end, the figures don’t lie. The toilet flush numbers are encouraging, but other information is less reassuring. The ICO set itself a target of resolving (i.e. closing) 80% of complaints within 12 weeks. Despite receiving less complaints than in the previous year, gaining 100 staff and receiving a massive boost in funding, they managed only 74%. 84 cases are more than a year old. Despite 46% of complaints received being about subject access, the ICO took no enforcement action against subject access infringements in the period.

Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.

Denham’s foreword has an almost valedictory tone. There’s a strong effort to defend the ICO’s determination to spend time on anything as long as it isn’t related to the UK, but the final thought is about how Denham thinks she has achieved her objective of transforming the ICO into “an information rights regulator that is helpful, authoritative, tech-savvy, practical and firm“. While what she’s actually done is hollowed out a passable regulator and turned it into an ineffective, politically biased think-tank, the only positive thing I can take away from this annual report is the hope that if Denham thinks it’s mission accomplished, she will move on to pastures new. Hopefully her successor will have some experience at putting out fires.

Backwards Momentum

To quote from their website, “Momentum is a people-powered, vibrant movement. We aim to transform the Labour Party, our communities and Britain in the interests of the many, not the few.” Founded by Jon Lansman and others in 2015, it arose out of the successful campaign to get Jeremy Corbyn elected as Labour Leader. From the beginning, as well as being evidence of a new type of politics in terms of policy and approach, Momentum exemplified the importance of personal data to modern politics.

An awful lot of bullshit has been talked about data and politics in the UK – witness the investigation into political parties’ use of personal data announced with great fanfare by the Open Rights Group, which culminated in a hilariously anti-climactic report where ORG had to admit that the worst thing they could say about political data exploitation is how ineffective it is. Ignore the Guardian headlines and Liz Denham’s interviews on Channel 4 News, Momentum is a real example of the power of data. It is a political movement built on a mailing list. After Corbyn was elected, the founders of Momentum used the lists of Corbyn supporters created during his leadership campaign as the foundation of the organisation. This isn’t my opinion – it’s what Momentum says about itself: “The company was originally incorporated at the very beginning of Jeremy Corbyn’s 2015 leadership bid to collect and manage the data collected during that election and in order to maximise the retention of data for use after the leadership campaign to benefit the movement which would arise from it.

A few days ago, the National Coordinating Committee for Momentum held elections. Lansman, who was previously chair of the organisation, didn’t stand for reelection, so Momentum is under new management. However, it is not entirely in power and its first meeting, the NCG sought to rectify that. According to Labour List, “members voted in favour of putting Momentum’s data – currently owned by Lansman, who is no longer on the ruling body – in their own hands. They are confident that this handover will take place.

Technically, the data isn’t owned by Lansman. Momentum’s website says that it is owned by ‘Jeremy for Labour Ltd’, a company that provides data services for Momentum. Strictly speaking, this isn’t true either: the company is called ‘Momentum Information’ but it’s not hard to understand why the Momentum web people are confused because the company does have a habit of changing its name. It started as ‘Jeremy Corbyn Campaign 2015 (Supporters) Ltd’, then became ‘Momentum Campaign Ltd’, then transmogrified into ‘Jeremy for Labour Ltd’ in 2016, finally blossoming into ‘Momentum Information Ltd’ on 30th December 2019. It’s like a really boring version of Doctor Who. However, when you look at the current directors of Momentum Information, there’s only one, and it’s Jon Lansman.

Momentum isn’t a company or a political party. It is an “unincorporated association of individual members” with a written constitution, run by the NCG. According to their website, the data owned by Momentum Information “cannot be shared with any organisation, including Momentum” but “the privacy policy does permit Jeremy for Labour Ltd to inform people of campaigns and activities linked to Jeremy Corbyn’s campaign aims, such as the activities of Momentum which grew out of Jeremy’s leadership bid and shares its aims and values“. Momentum is in the astonishing position of being a member organisation which – as far as I can see – does not know who all of its members are and is not allowed to contact them directly without (effectively) Lansman’s cooperation. It’s possible that by now the unincorporated association has accumulated some of its own data, but it seems clear that Lansman has kept control of the data mother lode, and while he no longer chairs Momentum, the data gives him huge power over it.

If Momentum members have access to the data held by Momentum Information and they try to use it, that would be a criminal offence unless Lansman or his representatives authorise it. This is why there needs to be a ‘handover’. Of course, Lansman may well accede to the democratic vote of the NCG and give them the data. I am an evil centrist who doesn’t really understand the internal politics of Momentum (I rejoined Labour solely to vote for whichever of Keir Starmer or Lisa Nandy looked more likely to beat Rebecca Long-Bailey), so I don’t know what Lansman’s move will be. The funny thing is, purely in Data Protection terms, it’s probably unlawful for him to disclose the data without a lot more work.

I’m basing this on the information Momentum itself has put into the public domain, so if I have this wrong, it’s because I’ve been misinformed by them. But that sentence in the company structures section of their website isn’t ambiguous: the privacy policy doesn’t allow sharing with Momentum. If that’s what the people on whatever database Momentum Information controls were told, it would be a significant breach of fairness and transparency for their data to be shared in a way that contradicts this. Never mind that many Momentum members might be fine with it, the transparency problem has to be overcome, and we’re talking about many thousands of people needing to be contacted.

Being a member of Momentum plainly reflects your political opinion, so Momentum Information needs a special categories exemption to disclose the data. The most obvious one would be “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects“. If you read all the way to the end, you can see the problem – it explicitly rules out disclosure. There are only two other possibilities – substantial public interest or explicit consent. I don’t think that there’s a *public* interest here, just a significant private one, but if you disagree, a controller can only use substantial public interest if they can meet a condition from Schedule 1 of the Data Protection Act 2018. Feel free to read them if you want to, but I can tell you that none of them apply. The NCG vote is irrelevant – unless the relevant people consent to the disclosure, it’s unlawful even if Lansman wants it to happen.

I said I don’t know Lansman’s motives here, but surely none of this is an accident. Whether or not he chairs the unincorporated association, it strikes me that Lansman still holds the reins. Momentum is probably nothing unless it can talk to its members, and right now, only a mass consent gathering exercise will allow that. Of course, Momentum’s account of the company structures may be incorrect and there’s a loophole somewhere. But forget the guff about micro targeting and brainwashing by Facebook, if there is a standoff between the NCG and Lansman, it’s about who controls a major political movement, and it’s based solely on access to personal data. The Information Commissioner will run a mile from intervening, as they always do when faced with issues in Labour and Left politics, but it’s an awesome demonstration of the power of data.

Two pints of FUD and a packet of pork scratchings please

As the pubs open, a huge amount of fuss has been made about the requirement placed on pubs to collect personal data for the purposes of the track and trace system. Local papers and websites buzz with articles that are plainly just law firm press releases, and the LinkedIn Snake Oil Salesmen awoke from their slumber to offer advice to unwary publicans. Some even wondered aloud how pubs would cope with being data controllers for the first time, despite all of them having employees, and most taking bookings and doing marketing.

Guidance from the government sets out what is expected:

“You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”

The data pubs and restaurants should collect is as follows:

“customers and visitors:

  • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
  • a contact phone number for each customer or visitor, or for the lead member of a group of people
  • date of visit, arrival time and, where possible, departure time
  • if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer”

A few interesting questions do arise. The first, which doesn’t seem to have provoked much debate, is whether GDPR applies at all in this situation. if a pub or restaurant stores the data in a spreadsheet or other electronic system, GDPR applies because in the words of Article 2, it is processed by automated means. But what if the pub uses a notebook or index cards to store the data? There’s a strong argument to do that, because it would make it much easier to keep the data separate from other customer data that the pub might have. Moreover, it’s possible that a notebook structured solely in date order doesn’t meet the definition of a filing system, which is a “structured set of personal data which are accessible according to specific criteria“. Certainly, if the Data Protection Act 1998 was still in force, the answer would be no. A date-ordered notebook would fail the ICO’s famous ‘temp test’ (can a temporary member of staff find personal data without searching every page?), and there is out-of-date guidance on the ICO’s website that confirms that chronological storage isn’t a relevant filing system. However, this is the DPA 1998, although the definition of a filing system is very similar in the 1995 Directive and the GDPR. Would date order meet the requirement for “accessible according to specific criteria“? I can’t find the data about Tim Turner without searching every page, but I can see all the named individuals who were in the pub on July 4th, so is that enough?

Given that the ICO isn’t going to touch this with a bargepole, the only way that this might be tested is in the courts. The European Court of Justice has looked at filing systems before in the Finnish Jehovah’s Witnesses case. This was under the old Directive, but they found that the ‘specific criteria’ by which the data are accessed should relate to people. I can’t find the phrase anywhere, but the ICO shorthand used to be ‘structured by reference to individuals’. The Jehovah’s Witnesses’ manual records were structured to keep track of specific people and organise subsequent visits, and so were found to be a filing system. I’m probably unduly influenced by having worked with the DPA 1998 for so long, but my instinct is that if a handwritten record is kept in date order, and not structured to provide easy access to identifiable people, it’s not personal data in the first place, and so no GDPR obligations arise to the publican armed only with a pad and pen (my advice is a nice Lamy or Pilot pen; only barbarians use freebie biros).

But let’s assume that I’m wrong, and the data is personal data captured by the GDPR. I had a conversation with someone on Twitter yesterday who believed that the Data Controller was Public Health England, and that pubs, restaurants and other businesses are data processors on behalf of PHE. He made the point that if this was correct, then none of them would have a contract with PHE, and so there would automatically be a massive data protection infringement. I disagree. The pub owners are under no obligation to process the data – if they participate, they are choosing to do so. If you decide whether and how to gather the data, it strikes me that you have at least some involvement in determining the purposes for which the data is processed. PHE have issued no instructions about the means of the processing (hence pubs and restaurants being able to choose between automated and manual processing). If every venue was a processor, it’s true that PHE would be under an obligation to issue contracts to them all, and they would be liable for every infringement that occurred in an establishment who hadn’t signed up. I’m not saying that this is impossible (the NHS is no stranger to pretending that organisations who have zero choice or input into the purposes and means of processing are data controllers), but I’m more comfortable with the idea that hospitality venues are joint data controllers with PHE. If a pub does something daft with data they have chosen to process, it seems an odd interpretation of the law to hold PHE responsible.

Someone’s going to say vicarious liability, and I’m going to wait for the court case.

Depending on the context, the data collected might look like contact details, but it could easily lead to inferences and risks that the venue needs to take seriously. If I went to the Old Man Pub down the road from me, you wouldn’t infer much about my presence there other than a liking for darts and bright lighting. But if I went to G-A-Y in Manchester, you might reasonably draw conclusions about my sexuality. The venues ought to look after this information very carefully, assuming they didn’t already collect data about these customers. But those people determined to predict a datapocalypse as a result of these measures are leaping several steps ahead. Most venues will take sensible measures to keep this data safe because most people aren’t stupid, and venues that cater to vulnerable clients or those who have heightened concerns about privacy are almost certainly aware of these issues already. The chances that data will be lost or stolen are probably low (especially if they go for a simple spreadsheet or manual record that is stored somewhere safe).

But if something does go wrong, unless it involves significant risk to the customers, the chances of a big data protection enforcement case from the ICO are virtually nil, and despite the lip-smacking enthusiasm of some lawyers, the prospects of lucrative litigation are fairly dry. And with that, I am going to do my civic duty by walking through the rain to the Old Man Pub, getting blind drunk and catching Covid-19 like all patriotic Englishmen should*.

 

 

 

* SPOILER ALERT: I am going to wait for John Lewis to deliver my new Fridge Freezer.

Role playing

A few weeks ago, the Data Protection world was shaken by a decision from the Belgian DP Authority to fine an organisation €50,000 after they appointed their Head of the Compliance, Risk Management and Audit department as their Data Protection Officer. I’ve commented before about my frustration that too many organisations are unable to comprehend the independence and relative freedom of the DPO role as anything other than a senior-level job – in such places, the role is a DPOINO, a Data Protection Officer In Name Only, with a younger, more junior but much more expert person actually carrying out the role. The DPOINO in these organisations is usually a middle-aged white man, and the real DPO is a younger woman. I imagine you are shocked to read this.

The Belgian decision is not ridiculous – it is difficult for someone in a senior position to escape decisions about hiring and firing (for example) or system design, activities that risk dragging the incumbent into determining the purposes. If the DPO was less senior, even in the same department, the risk of conflicts of interests would be lower. There are better, more imaginative models, but I think seniority is always fatal. Needless to say, some commentators have drawn more other conclusions.

Writing for Scottish Housing News, Daradjeet Jagpal questioned whether it was time for his audience (Registered Social Landlords in Scotland) to review their DPO appointments. Despite this being a single case in a foreign jurisdiction with tenuous direct application to a non-EU country like the UK, Jagpal fell back on the consistency mechanism, and warned his readers that the ICO might adopt the same approach, skipping over the fact that Wilmslow’s approach to the GDPR has been to go to sleep. A quick survey of the possible candidates – mainly heads of various RSL departments – do not make the grade for Jagpal, and rather patronisingly, he dismisses the idea that a Corporate Services Officer would be “comfortable or sufficiently confident to challenge the CEO on non-compliance“. Take that, many DPOs who I know and love.

Jagpal comes to the conclusion that “The obvious solution is for RSLs to appoint an external DPO” which is remarkable, given that Jagpal is described in the article as “a leading provider of outsourced DPO services to RSLs across Scotland“. I’m not suggesting that he’s is over-egging the Belgian decision for nakedly commercial purposes, but he does place weirdly heavy emphasis on EU standards and pressures which are clearly either dead or dying for Brexit Britain, and he barely entertains the idea that Scottish RSLs might just appoint a DPO in-house.

To be fair, the Belgian decision is a real thing that happened, and while I disagree with Jagpal’s assessment of its implications, he’s accurately described the situation. The same cannot be said of everyone in the outsourced DPO sector. In a webinar hosted by everyone’s favourite LinkedIn spammers, Data Protection World Forum, the CEO of The DPO Centre, Rob Masson decided to get creative. Masson spoke of the “quite strict guidelines” (AKA legal requirements) about who can be a DPO and the importance of avoiding conflicts of interest. He went on to say “we’ve got to remember that the role of the Data Protection Officer is to represent the needs of the Data Subjects. It’s not necessarily to represent the needs of the organisation.”

None of the specified DPO tasks refer to data subjects. They require a DPO to advise the organisation on data protection matters, monitor its compliance with the GDPR and other laws, advise on and monitor the effectiveness of data protection impact assessments, and liaise with the Information Commissioner’s Office. If you wanted to be exceptionally generous to Masson, you could interpret the whole of the GDPR as reflecting the needs of data subjects to have their personal data properly regulated, and from there spin the DPO’s role as a facilitator of that. But that’s also nonsense. It’s as much in the interests of an organisation that the personal data they use is accurate and secure as it is for data subjects. The GDPR sometimes allows controllers to retain data despite a subject’s objection, to keep processing secret from them when it might prejudice certain purposes, and to balance their own wish to use data against the impact on the subject, deciding to use it without consent when they think they’ve assessed the situation properly.

If we’re talking about the needs of the organisation, I’d argue that most of the GDPR’s requirements reflect the needs of the controller. Some organisations are too lazy or stupid to see it, or they’re getting advice from the wrong people. It might seem like disposing of personal data that you genuinely don’t need any more is an unwelcome imposition, but it’s very much the healthy option. To use Masson’s own word, GDPR is the spinach that the organisation *needs*, even if it might prefer the Big Mac and Fries of not thinking about it.

A77 gives the subject the “right” to lodge a complaint with the relevant supervisory authority. A39(1)(a) says that the DPO “shall” inform and advise the organisation of their obligations. Contrast these provisions with the words in A38(4), the only element of the DPO articles that refers to subjects: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” This obviously means that the DPO ought to be accessible to data subjects (one of my objections to senior DPOs is that they won’t go for this), but it also shows Masson’s version to be fantasy. There is no right to reply, no hint that the DPO is the subject’s advocate or representative. They’re at best a conduit for concerned subjects.

Obviously, the DPO isn’t just the loyal servant of the organisation, and they have to reconcile being an employee and an independent advisor. I disagree with Jagpal’s dismissal of junior officers as being capable of standing up to CEOs because I know so many who do it regularly. But he’s reflecting a real problem that many DPOs face. If the senior people don’t want to take the DPO’s advice, they are in an invidious position. Until the ICO shows that it is willing to back DPOs in these kinds of situations, it’s going to remain a precarious and stressful job for those facing unsympathetic management. Masson’s characterisation can only make this worse, feeding a perception that the DPO is not even there to help the business, but to pursue the interests of data subjects. Subjects come in all shapes and sizes, but some of them are hostile, difficult and aggressive, and telling a CEO who already doesn’t take data protection seriously that their DPO represents these people’s interests is toxic. This snake-oil may seem slick on a bullshit webinar, but if this unhelpful message reaches workplaces with already unsympathetic management, it’s going to make the work of beleaguered DPOs even harder.

I wonder if it’s a coincidence that Masson’s misreading of the GDPR could benefit his business – if the DPO really is there to serve the needs of the data subject, doesn’t an external figure make more sense than an in-house officer who won’t be doing what you want them to do anyway? There’s nothing in the GDPR that would make you think that this version of the DPO is correct, so it has to come from somewhere. If that’s it, rather than simple ignorance, I wonder if Masson has the guts to try to hawk this stuff in a forum where people might actually challenge him.

At this point, you might be thinking, so what? People talk shite to get business. They predict SARmageddons. They shout about 4% of annual turnover fines. They claim that first-tier decisions in Belgium should make you change your DPO.  Does it matter? Doesn’t every sector have its share of hype and froth? The answer is that I have to work in this one, and I think the truth matters. I also have to clean up other people’s bullshit. I have to overcome the hype and the scaremongering spread around by the other people in my industry. I know the popular mantra is that commercial folk should all be pitching in and helping each other, but by spreading misinformation, the likes of Rob Masson are already not doing that, so why should I?

The Information Commissioner’s Office isn’t going to enforce against organisations with an imperfect DPO choice – perhaps they should, but they won’t. They’ve done one GDPR fine in two years and I doubt we’ll see another one in 2020. Sidelined by government in the coronacrisis, facing a review from the DCMS (pointedly not postponed despite the pandemic) and humiliated by the collapse of multiple high profile actions, the ICO is an irrelevance. I’ll be surprised if they survive in their current form. The reason to choose the right DPO is that an independent, challenging person in the role will help organisations to make intelligent decisions that will build a culture of more secure, more accurate, more effectively used data. The DPO isn’t the voice of the subjects, they’re a valuable asset there to guide and assist the organisation. I won’t sell a single course place by saying so, but that doesn’t make it any less true.