The ICO Names and Shames

The ICO has started to publish public datasets that include data protection complaints, cyber investigations, self-reported breaches and other relevant complaints and investigations.

More worrying for organisations that haven’t been taking information security and data protection seriously enough, is that organisation names are also being published. Details are provided on the nature of the issues as well as the outcome of investigations.

While this transparency from the ICO (in the public interest) is welcome, it may also have the unintended consequence of putting off some organisations from self-reporting personal data breaches, realising that this information would be made public whether it results in a fine or not.

The results have been made available by calendar quarter in CSV format and stretch back to Q4 of 2020.

It will be interesting to see how others use this data, from insurers to business rating websites. Needless to say, no company that cares about its reputation will want to end up in any of these public datasets.