Georgia Alsop

The United Kingdom Accreditation Service (UKAS) may be in violation of the EU’s General Data Protection Regulation (GDPR) as a result of assigning its chief financial officer the role of Data Protection Officer (DPO). Recent court rulings have fined companies that refuse to ensure the DPO role is separate from those responsible for financial management.

Currently, UKAS lists Georgia Alsop as its DPO, according to language found in official UKAS contracts and the official Privacy Statement page of the UKAS website. Elsewhere on the UKAS website, however, Alsop is also listed as the company’s Finance and Corporate Services Director, the equivalent of a “chief financial officer.” According to a press release, Alsop is “responsible for finance, systems, facilities, HR, and … customer services” at UKAS. On her LinkedIn page, Alsop writes, “I am a Board Director with operational responsibility for Finance, Systems, Human Resources, Customer Service and Facilities.”

However, the EU GDPR prohibits this arrangement. The official document “Guidelines on Data Protection Officers” states:

As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.

Post-Brexit, the UK still demands compliance with the EU GDPR regulation and has added additional UK-specific requirements. It does not appear that the UK diluted the DPO requirements in any way. According to the regulations, violations of the regulations can be severe:

Infringements of articles 37–39 leave organisations open to the GDPR’s lower level of administrative fines: up to 2% of annual global turnover or €10 million (about £8.5 million), so it’s essential to meet your DPO obligations correctly and in full.

EU courts have punished companies that violated the rules on the independence of the DPO. In a 2020 case, Belgium’s Data Protection Authority imposed a €50,000 fine “on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO).” In 2022, Belgium fined a bank €75,000 for a similar violation related to its DPO’s independence. The cases are not limited to Belgium, however, as severe fines and penalties have been issued in Germany, Luxembourg and France. In one German case, a company was fined €525,000 for the conflicts of interest related to its DPO.

UKAS has come under fire for refusing to comply with laws, regulations, and sanctions while acting under the protection of figures within the UK government and the office of Lord Lindsay, a House of Lords member.

The recent Grenfell Tower Commission report blamed much of the deadly fire on UKAS’ conflicts of interest, which led it to accredit companies that were later found responsible for poor testing practices. Had UKAS performed its accreditation services objectively, companies involved in the manufacturing and testing of products later found to be defective might not have gotten contracts to build the Grenfell Tower building from the start, and the fire could have been prevented. Since then, however, UKAS told the commission that it has made changes to limit conflicts of interest. However, Oxebridge has found repeated violations suggesting that UKAS has made no such changes, and lied to the Commission. Even after the Grenfell scrutiny, an independent report published by Engineering & Technology claimed that the UKAS-accredited NICEIC electrical inspection scheme was “incompetent” and put the public’s safety at risk.

In response to a complaint regarding a UKAS-accredited certification body, an unnamed UKAS official — thought to be Jackie Burton — appeared to make a statement that would legalize bribery. The official then suggested that UKAS accredited bodies not keep records of such arrangements so that UKAS would not be obligated to report them. UKAS then violated ISO 17011 by ignoring complaints about the scandal.

Under CEO Matt Gantley, UKAS has allowed its mark to be used by companies involved in human trafficking, data falsification, and other crimes. Even after scandals are revealed, UKAS refuses to withdraw accreditation, provided the accredited companies continue to pay UKAS for using its mark.

UKAS is supposed to be held to ISO 17011 by the IAF regional body “EA” (European co-operation for Accreditation). Still, EA has routinely sided with UKAS and refused to process complaints filed against the body adequately. The IAF has then likewise refused to investigate UKAS, despite allegations of violations dating back over ten years.

Oxebridge is calling on the UK government to break from the IAF accreditation scheme entirely and begin performing ISO 17011 assessments of UKAS itself. Should UKAS fail its assessment, Oxebridge is calling on the UK government to disband UKAS and take on accreditation within a government ministry instead.

 

Advertisements

ISO Benchmark

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.