What's the ICO focusing on?

August 2022

A new direction for the Information Commissioner's Office

Empowering individuals and supporting business is at the forefront of a ‘new direction’ for the ICO.

John Edwards, who took the helm as Information Commissioner at the beginning of the year, is keen to position the Regulator as supporting businesses to realise the benefits of data-driven innovation, whilst upholding people’s information rights. He accepts this is a careful balance.

His first step was a six-month ‘listening’ exercise to understand businesses, organisations and people’s experiences of engaging with the ICO.

Next was the launch of ICO25 – a strategic plan and how the ICO will achieve its aims over the next two years.

So what of the new Commissioner so far?

Frankly, a breath of fresh air. There’ve been several indications Mr Edwards is not afraid to speak up about serious topics. In May, he published a straight-talking opinion on changes the Regulator wanted to see to the data protection approaches of police forces, in relation to victims of rape and serious sexual assaults.

The ICO25 plan

The ICO25 is a strategic plan which sets out why the ICO’s work is important, what they want to be known for (and by whom) and how they intend to achieve this over the next two years.

John Edwards recognises resources are finite, and they have to make choices about where to focus and how to spend their time. He wants to bring “the greatest benefit to the greatest number”.

The ICO25 video address kicks off with, “It’s about relationships.. trust, equality, dignity and democracy”. In fact Mr Edwards talks about people rather a lot. Bravo! This is much more what I’d like to hear from the ICO.

Safeguarding and empowering people

There’s a new focus around the ICO’s purpose. Safeguarding people, particularly the most vulnerable, and upholding their information rights. Speaking at the launch of the plan, John Edwards said:

“My most important objective is to safeguard and empower people, by upholding their information rights. Empowering people to confidently share their information to use the products and services that drive our economy and society.

“My office will focus our resources where we see data protection issues are disproportionately affecting already vulnerable or disadvantaged groups. The impact that we can have on people’s lives is the measure of our success. This is what modern data protection looks like, and it is what modern regulation looks like.”

John Edwards has also made it clear he intends to make it easier for people to access remedies if things go wrong. There has been a fair amount of criticism levelled at the ICO in this respect. The plan also talks about promoting openness and transparency.

Support for businesses

For business, the ICO’s stated objective is to “empower responsible innovation and sustainable economic growth”. How do they hope to achieve this?

  • Give organisations the knowledge they need to plan, invest, responsibly innovate and grow. This means giving more certainty about the law and more helpful guidance and tools.
  • New training materials have been published around data protection and freedom of information. The plan is to collaboratively produce more sector-specific guidance, asking representative groups to co-design materials to provide tailored and targeted advice.
  • Small businesses are a key focus too. The ICO reminds us about their SME hub, which includes examples and bring together good practices to help SMEs comply with the law, develop a trusted customer base, know how to deal with subject access requests and so on.

Reducing the cost of compliance

Mr Edwards talked about plans for the new data protection law, and has challenged his team to reduce the cost of compliance for businesses, in fact he’s set a target to save businesses at least £100 million over the next 3 years.

Alongside this the new Data Protection and Digital Information Bill is currently progressing through Parliament. Mr Edward’s views on this?

“I share and support the ambition of these reforms. I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.

“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”

Plans for the public sector

The ICO plans a revised approach to public sector fines, recognising public money is best used to support the delivery of essential services. Mr Edwards says this is “a clear signal that regulation works best when we [the ICO] stands alongside organisations, encouraging change and improvement”.

He spoke of launching a Cross Whitehall Senior Leadership Group to drive compliance and high standards of information across government departments – with commitment from DCMS and the Cabinet Office in making this happen.

So what do we think?

Based on the new Commissioner’s first 6 months, we’re feeling optimistic the ICO is in good hands. The year ahead should be a particularly interesting one, with growing expectations the UK’s new Data Protection and Digital Information Bill will land next Spring or Summer and a clear new direction for the ICO.

Along with perhaps a bit of a headache to update current UK GDPR guidance!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.