On 3rd October, the annual Data Protection Practitioners' Conference was held by the Information Commissioners Office (ICO) covering a wide range of data protection and cyber issues.
The DAC Beachcroft Data, Privacy and Cyber team attended, with the clear takeaway from the event being that the ICO is at the centre of transformational change from a data protection perspective, whether through technological advances, the empowerment of individuals and organisations, or changes to the structure of the ICO itself.
"We can't redirect the wind but we can adjust the sails" is how the Information Commissioner viewed the speed of technological change over the last year and its role in regulating it. Reflecting on the challenges faced by the ICO, he set out how the organisation intends to stay ahead of technological developments, give organisations regulatory certainty and the public reassurance.
A variety of key initiatives both completed and ongoing to help achieve this were highlighted including:
- The creation of the ICO Subject Access Requests tool
- ICO consultation on the draft Guidance on Biometric data
- Project ExplAIn interim report (a collaboration between ICO and Alan Turing Institute) to assist organisations with explaining AI.
- New Guidance on Employee monitoring in the workplace
As part of other efforts to "adjust the sails", the ICO is also carrying out the Regulatory Risk Review Project to assist in their three-year plan, including the recently issued consultation on draft Data Protection Fining Guidance.
Technical developments and artificial intelligence
The pace of change in the technology sector was described by the Commissioner as the "strongest winds of change", with artificial intelligence (AI) a key touchpoint. The importance of maintaining regulatory certainty and public confidence in this new technology was emphasised, with a panel of the ICO Executive Team identifying AI as the biggest challenge to data protection rights.
Those challenges were discussed by Helena Quinn, Principal Policy Advisor for AI and Data Science at the ICO. She noted that ultimately the output from AI models is only as good as the data it is trained on, and at this training stage, personal data is usually taken from either publicly available sources or it is procured.
The ICO did give the following practical tips to enable organisations to respond to these challenges:
- make use of Data Protection Impact Assessments both in respect of the AI model itself and the uses of the model;
- adopt and build in the principles of data minimisation, purpose limitation and storage limitation from the outset;
- engage effect security practices; and
- implement appropriate training and education within organisations.
The issue of tech-enabled harm via interpersonal relationships, and thus the importance for designing for safety beyond 3rd party security risks, was discussed by Eva PenzeyMoog Principal at 8th Light. She highlighted how products can cause harm, but that prevention can take place via design and the prioritisation of vulnerable users. She discussed that the undertaking of appropriate research to uncover abuse cases and archetypes, will enable organisations to identify suitable testing and solutions for such issues.
Individual rights and data sharing
A key theme throughout the keynote address was "empowering you through information" and the importance of both organisations and the public communicating with the ICO. John Edwards referred to a piece of research commissioned by the ICO which aimed to assist the ICO in understanding how people are sharing their personal information and the value they place on their privacy over time. The research will be published later this year, with the results to be used to ensure that the views of the public are prioritised in ICO decision-making.
Although the rights of individuals in understanding how their data is shared is a key area for the ICO, the benefits of data sharing were also discussed at length, with emphasis on how this could be achieved under existing legislation. The ICO was keen to emphasise that data protection law is not a barrier to proportionate and fair sharing of data, instead it provides a framework to share data lawfully while protecting the people whose data is being shared. It was emphasised that use of a DPIA will actually help organisations share personal data, as it assists in planning the data sharing, assessing risks and identifying how to mitigate these risks and helps ensure the sharing is done fairly, lawfully and with accountability.
This was consistent with ICO messaging throughout the conference that iforganisations can unlock the power of the data they hold it will be a driver of innovation, competition and economic growth, greater choice and improves insights and outcomes.
Role of the ICO
As part of the Data Protection and Digital Information (No.2) Bill (the Bill), the ICO will be restructured into the Information Commission with a board model, with the Information Commissioner as chair. These changes were characterised as "evolution not revolution" by the Commissioner, and throughout the day, key aspects of the ICO's role were reflected on, emphasising the wide remit of the ICO, from guidance on how to deal with SARs through to complaint handling.
On the issue of enforcement strategy, the ICO emphasised that the carrot and stick approach continues to inform its' position, with the use of clear guidance notes (promoting their MUST, SHOULD, COULD approach) and increased use of reprimands following breaches by public sector bodies. However, it was reinforced that the use of reprimands to encourage good data governance does not mean that harsher penalties would not be used where appropriate with the issue of Cookie banners being specifically referenced. On this topic the ICO stated that it has given clear guidance and many organisations have made the necessary change, but those behind the curve are warned that the ICO will start taking action.
The key message about the role of the ICO remains the importance of engagement with appropriate stakeholders. Referencing ICO25, it was highlighted that a change in approach to complaints handling is underway, with a focus on re-prioritisation, transparency, ensuring staff have relevant customer service and soft skills, empathising with customers, and providing regulatory certainty.
DPDI (No.2) Bill and international data transfers rumble on
We heard that it is anticipated that the Bill will become law in mid-2024, with the ICO committed to providing guidance and assistance on the main areas of change.
James Snook, Director of Data Policy at the Department of Science and Technology (DSIT), stated that the current regime does not provide a data rights regime that can keep pace with the evolving technological landscape, and that change is necessary. His view is that the Bill addresses these challenges through the modernisation of the statutory framework behind the Information Commissioner role, changes to the individual rights frameworks, and removal of some more prescriptive requirements particularly in respect of SMEs where they might be deemed over burdensome.
Nonetheless, a panel discussion involving the ICO Executive Team expressed hope that the Bill despite these changes would not result in UK adequacy being revoked, in line with the Government's commitment to maintaining adequacy.
As part of this timely mention of adequacy Emma Bate, Director of Legal Services at the ICO, gave an update on international transfers covering the recent approval of the UK-US Data Bridge. As we have highlighted in our commentary this month on the Data Bridge, Emma emphasised that an additional benefit of the bridge for transfers to the US (using any transfer mechanism) is that the DSIT assessment of adequacy for the Data Bridge can be relied on to simplify Transfer Risk Assessments.
Irrespective of the speed of change brought about technological developments, the prospect of data breaches and the need for appropriate cyber security remains a constant. A panel of ICO experts concluded while most data breaches were preventable, 100% successful defences are unlikely in reality. Nonetheless, the impact of breaches could be limited with prevention of common underlying issues such as the over-retention of information by data controllers. The involvement of the Board at an early stage of a security incident is also key. They are often kept incorrectly at arm's length.
Data and security accreditation, and certification schemes, although positive should only set the framework which then needed to be actively monitored to meet the circumstances of the data controller. Trusted guidance available from the ICO and NCSC should be built upon to address the organisation's individual position. In the event that an incident occurs, the ICO viewed responses as having 4 phases relating to preparation, detection and analysis, containment and eradication, concluding with post-incident activity. Nonetheless, the most powerful aid to improvement was seen to be learning the lessons of a data breach incident.
The ICO viewed key trends in the cyber security space as:
- Supply chain risk, including how the organisation connected to suppliers rather than what level of security the supplier had.
- The use of cloud providers were seen as generally a positive step to improve security, but presented risks of less control over how and where data is stored.
- Reductions in attacks due to the Ukraine conflict now appear to have subsided with numbers increasing again.
- Increasingly sophisticated phishing attacks
- Perhaps unsurprisingly, generative AI is expected to have both in offence and defence in the future.
The conference had at its heart a theme of transformation, in what the ICO regulates, how it regulates and communicates and of itself. We look forward to seeing what the next year has to offer and your DAC Beachcroft Data, Privacy and Cyber team will be there every step of the way to offer our analysis and assistance.