A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Download PDF Print page
Published 22 July 2022
On 19th July 2022 the Information Commissioner’s Office (ICO) held its annual Data Protection Practitioners’ Conference – the first since John Edwards took on the role of Commissioner. There was no shortage of content on a variety of topics including international data transfers and the role of the ICO.
Your DAC Beachcroft data protection and cyber team was dialled in and listening intently to pick out the top takeaways.
A key theme running through many of the sessions was the ICO’s draft strategic plan “ICO25” and, in particular, the four proposed strategic objectives to (i) safeguard and empower people; (ii) empower responsible innovation and sustainable economic growth; (iii) promote openness, transparency and accountability; and (iv) continuously develop the ICO’s culture, capability and capacity. These objectives will drive ICO activity and enforcement over the next three years. The plan is open for consultation until 22 September and will be finalised in the Autumn.
There was a generally a positive outlook from the Conference in respect of the proposed Data Protection and Digital Information Bill and the reform of the UK data protection regime. It was recognised that the proposed reforms strike a good balance between improvement and giving people confidence in their use of personal data. In respect of accountability, the ICO appeared positive regarding the replacement of the role of the Data Protection Officer with a senior responsible individual, as this would increase flexibility for businesses in complying with their data protection obligations. The ICO also expressed optimism about the benefits the reforms will have in allowing organisations to take a proportionate approach based on the types of data that they are using. Although it was noted that it was too early to understand the impact of the proposed UK law reforms on cross border data transfers, it was acknowledged that this is high on the Government’s list of issues to address. In respect of a future EU adequacy finding for the UK, the ICO appeared confident that data is equally protected in the UK as it is within the EU. Overall, the ICO underlined its commitment to providing appropriate support to organisations in complying with the future legislation and welcomed the increased ability to allocate its own resources.
A detailed update on the Data Protection and Digital Information Bill will follow in due course.
In one of the Conference sessions, Adam Ingle from the new foresight team summarised the following 5 emerging technologies which the ICO will be focussing on in the next year, which all involve processing of personal data in innovative ways:
This presentation focussed heavily on the ICO’s “AI and Data Protection Toolkit”, which is designed to:
The practical steps which organisations are able to take when a risk is identified fall into the following three categories: (1) a “must” which represent legal requirements, (2) a “should” which represent what the ICO consider to be best practice, or (3) a “could” which represent optional good practice. The ICO hopes that this tiered system will make decision making when faced with data processing risks a simpler and more manageable process.
The ICO believes in particular that the following three broad groups are likely to benefit from the Toolkit: risk and governance teams (for example the DPO and/or Legal and Compliance functions), AI model development teams, and members of an organisation’s senior leadership (as such individuals are likely in reality to provide sign off for data processing which takes place in an AI system).
During another session, the ICO unveiled its much-anticipated approach to TRAs, and is expected to publish its guidance on this by September at the latest.
Emma Bate, Director of Legal Services at the ICO, gave a preview of what we can expect to see later this Summer, with the proviso that the guidance has not yet had formal sign-off. Despite that, she said, it does give a flavour of the ICO’s approach.
Two main options in terms of an approach to a TRA were outlined:
For those organisations operating in the UK and Europe, or for those who have been working on their TRA processes based on the EDPB guidance, this is good news: option one essentially means that a TRA based on the EDPB guidance will meet the ICO’s requirements. If desired, you could therefore use the same process for both Europe and the UK.
The TRA tool being proposed by the ICO will involve a seven-step process and will include consideration of the level of risk to data subjects in the personal data that you are transferring. What also came across clearly was the recognition that the TRA process should be reasonable and proportionate for organisations to manage.
We all eagerly await the final publication of the guidance.
In a panel session entitled “Ask the ICO”, John Edwards was asked to explain the main differences between his current role as the UK Information Commissioner and his previous role as New Zealand's Privacy Commissioner. Interestingly, his response hinted at the mechanism in New Zealand for individuals to raise concerns of data protection complaints and allegations of distress to the Privacy Commissioner directly. In New Zealand, John Edwards explained, the Privacy Commissioner investigates complaints and if there is a valid claim for compensation for distress then it will assist with settlement negotiations between the individual data subject and the organisation. No such mechanism exists in the UK as of yet. In the UK, we have seen a significant increase in data breach compensation claims over the past two years, but these are ordinarily handled by claimant law firms, in correspondence with data controllers, or their lawyers, direct.
John Edwards noted that there "was scope for [the ICO] to emulate that [in the UK]", and that the ICO would adopt a "dispute resolution mindset", where it is possible and reasonable to do so. It is yet to be seen how the ICO envisages this role would be undertaken but it is clear from John Edwards' remarks that it is on the ICO's agenda. Although this may be welcome news for data controllers who receive numerous compensation claim requests, we suspect that the news was not well received by claimant law firms who may ultimately lose business as a result. We query how such a move would be resourced given the existing pressures on ICO staff. Perhaps a new compensation claims ombudsman would need to be created to deal with the likely high number of compensation claims received as we suspect the regulator will not have the capacity to deal with these just yet!
The Conference came just one day after the release of the new Data Protection and Digital Information Bill. As well as making amendments to core data protection law, the Bill (as currently drafted) seeks to amend the way the ICO itself is formed and operates. We will issue a full analysis of the Bill in due course.
Article Authors: Jade Kowalski, Charlotte Halford, Christopher Air, Eleanor Ludlam, Hans Allnutt, Rebecca Morgan, Christopher Little, Astrid Hardy, Zoe Carpenter, Omar Kamal
London - Walbrook
+44(0)20 7894 6744
+44 (0) 20 7894 6492
Manchester
+44 (0)161 934 3167
+44 (0) 20 7894 6925
+44(0)161 934 3792
Leeds
+44(0)113 251 4703
+44(0)20 7894 6595
+44(0)117 918 2228
+44(0)20 7894 6355
By Hans Allnutt, Astrid Hardy
By Patrick Hill, Sonali Malhotra
By Julian Miller, Clare Hughes-Williams
By Patrick Hill, Camilla Elliot
By Patrick Hill
By Hans Allnutt, Camilla Elliot
By Hans Allnutt, Stuart Hunt
By Julian Miller
By Astrid Hardy, Hans Allnutt
By Julian Miller, Tom Evans
By Jade Kowalski, Astrid Hardy
By Louise Gallagher, Katie Anderson