ICO Privacy Seals: a badge of honour but with strings attached?

Over the years, many businesses have embraced the use of seals on their products or services as a mark of distinction, a competitive advantage or at the very least, as a badge of honour for their efforts in leading certain industry standards.  Seals representing eco friendliness, organic foods and fair trade are a few of many examples that spring to mind.

In the United Kingdom, the Information Commissioner’s Office (ICO) has recently publicised its intent to progress the use of ‘ICO Privacy Seals’ with the aim of having the scheme up and running in 2016.  The ICO Privacy Seal will be awarded to those businesses that are “…going above and beyond the call of duty…” when complying with the requirements of the Data Protection Act 1998.

The scheme is intended to bring a number of benefits:

  • providing businesses with a competitive advantage;
  • building consumer trust and choice; and     
  • incentivising good practice and raising privacy standards.

Perhaps the most interesting aspect of the scheme is that in order to be awarded the seal, businesses will be required to meet the assessment criteria set by third party operators endorsed by the ICO.  It is anticipated that each third party operator will focus on their own sector of expertise or area of compliance.  It is also likely that the seal will be awarded for a specified period of time (after which renewal will be required) and may also be revoked if businesses fail to maintain the high data protection standards set.

This has potential to mark the beginning of a major shift in the regulatory landscape for data protection in the United Kingdom.

Firstly, the ICO may effectively be extending its regulatory reach through third party operators.  You could argue that signing up to this scheme is, after all, optional.  However, according to the recent joint statement by the EU, 92% of European citizens are concerned about their privacy.  In an environment where concern for privacy is at an all-time high, businesses may have no choice but to keep up with their competitors and therefore maintain the high standards set by third party operators.  We used to say that “doing nothing is not an option” when it comes to data protection compliance.  In future, could doing “the minimum” be perceived as a non-option too?    

Secondly, businesses can no longer take comfort in the lack of technical expertise to regulate their sector.  Although the ICO has taken large strides in tackling technical issues such as wearable technology and big data, having sector specific operators that thoroughly understand the complexities and details means that there may no longer be a place to hide for businesses.    

Another question arises as to whether third party operators will notify the ICO in the event that a business fails to renew its seal or if one is revoked. If so, could this lead to the ICO auditing that business and imposing a fine should it discover any breaches of the law?

The benefits of the ICO Privacy Seal are clear.  As for its effect on the regulatory landscape, there are more questions than answers, at least for the time being.