ICO Promises to Perform on the International Stage

Last month I commented on the Information Commissioner’s new Information Rights Strategic Plan which promised that there was more to come, not least an International Strategy for the ICO. Now that this International Strategy has been published it doesn’t disappoint. I must though confess to a certain amount of self interest here. When I was Deputy Commissioner I always championed the ICO’s international work so it’s particularly good to see Elizabeth Denham taking this forward. That’s one of the great advantages of Elizabeth coming to the ICO with a pedigree from the data protection regulatory world. Whereas some her predecessors have taken a little persuading that international engagement really makes a difference for the ICO and for those whose personal data  it is seeking to protect, Elizabeth arrived already committed to a strong international presence. Tellingly the UK Government has consistently been supportive of the ICO wielding international influence, recognising the benefits that this can bring to both the UK public and to UK businesses.

Elizabeth Denham invited me to contribute to the development of her Strategy and to take part in the workshop of international experts that guided her so it would be surprising if I was to be critical of the end result. What is particularly welcome is the way in which the ICO is looking to horizons beyond just the EU and the rest of Europe. Partly this is a response to Brexit but it is also a recognition that Europe doesn’t have a monopoly on effective data protection and that although the European way may be the best way in many respects this isn’t always the case. As Elizabeth has said it’s not just about having a powerful voice and making it heard around the world. It’s also about being excellent listeners and, hopefully, learning too.

Of course EU engagement will still be important particularly given the Government’s commitment to maintain GDPR levels of protection in the UK even after Brexit. As the Strategy recognises, the precise form of the ICO’s relationship with the European Data Protection Board will be shaped by the outcome of the Brexit negotiations but, come what may, a strong and constructive on-going working relationship will be of benefit to both the ICO and to businesses with  interests in the UK. Welcome to businesses will be the ICO’s commitments to working with the international business community, promoting truly global data protection standards, developing flexible data protection solutions through application of accountability principles and protecting personal data flows. It is particularly good to see the ICO supporting new, more flexible mechanisms to enable international data transfers such as codes of conduct and certification and seeking to explore the concept of the UK as a ‘global data protection gateway’ with a strong but interoperable data protection framework.

So are there any criticisms? Not really. It’s doubtful whether some of the commitments, such as hosting the European case handling workshop, properly belong in a strategy rather than a plan but I’ve been involved in too many fruitless discussions about what the difference is between a strategy, a plan and then a strategic plan to seriously raise this as a criticism. It’s the end result that really matters, and this is where the test will be. The ICO is offering a lot. The question is will it have the skills and resources available to it to enable it to deliver fully on what is a very promising strategy, given all the other pressures it will be facing and the many job opportunities that the GDPR is bringing.