Reflections on six months in the ICO Legal Services Team
Browse this blog post
A great opportunity
In my seven years at A&O I have spent much of my time advising organisations from small charities to large multinationals on data privacy and cybersecurity compliance. This is alongside my broader role of supporting clients negotiating complex commercial arrangements, or undertaking M&A, often in areas involving new technologies and challenging data privacy and cybersecurity risks.
The opportunity to spend six months in the ICO legal team was one not to be missed. The ICO has had legal secondees before but March 2022 marked the start of a new, regular secondment programme. The ICO workforce has grown exponentially in recent years with the introduction of the GDPR and, as the ICO’s legal team expands, it is great to see the willingness to engage with the private sector and to learn from the lived experiences we have advising clients on the ground.
Unsurprisingly the ICO grapples with many of the same questions as we do in private practice, from the practicalities of achieving true anonymisation and the scope of joint controllership to the challenges posed by Schrems II and many other things. The secondment has given me the opportunity to contribute to the ICO’s work in a number of these areas, bringing a fresh perspective whilst also learning about how the ICO creates policy and delivers guidance on these topics to a wide variety of stakeholders.
A period of change
My time at the ICO coincided with a period of change for UK data protection (“we’ve been in a period of change for the past decade!”, I hear you cry).
- John Edwards took over as Commissioner at the start of this year and after completing a listening tour covering all corners of the UK, he recently published his ICO25 strategic plan which sets out an ambitious values-based vision for the future of the ICO. For organisations, plans to provide greater certainty and clarity, to promote transparency and to empower responsible innovation will be welcomed. As will the release of the ICO’s own training materials! The ICO25 plan remains open for consultation until 22 September so please do share your views.
- July also saw the new Data Protection and Digital Information Bill introduced in Parliament. Described by the Department of Culture, Media and Sport as a Bill to “harness our post-Brexit freedoms to create an independent data protection framework”, the Bill proposes to remove red tape for businesses but retains the core framework of protection provided to people under the UK GDPR. Interestingly, the Bill also provides for changes to the ICO governance structure whilst also granting the ICO more discretion around complaints handling and additional powers to compel information and issue interview notices. If passed, the fine thresholds for breaches of PECR will also be increased to align with the GDPR.
These changes come against a backdrop of Brexit and the Covid-19 pandemic, and at the same time as a new Online Safety Bill makes its way through Parliament.
All of this has made it an exciting time to be at the ICO as the organisation prepares for these developments whilst continuing to pivot and upskill to deal with challenges posed by newer technologies such as the use of AI and the processing carried out across the complex Adtech ecosystem. The ICO has also recently consulted on a new Regulatory Action Policy, which will provide an important guide to enforcement activity in the future and help deliver some of the certainty promised by ICO25.
Broad insight
My experience has given me a renewed appreciation of the breadth of important and interesting work the ICO is doing. Whether it is engaging with the Government on the data reforms or working with industry bodies on codes of conduct and certification schemes, the ICO’s work requires consideration of the views of many stakeholders, from businesses large and small, to public authorities and most importantly, the people whose personal data the law seeks to protect. This is done whilst navigating complex public law requirements, responding to consultations from Whitehall and the devolved administrations, and seeking to modernise to ensure it can be an effective regulator in the future.
I was able to see first-hand how the ICO’s Regulatory Sandbox team provide organisations with real practical advice and assurance to help them design innovative new products and technologies in a way that complies with data protection requirements.
The legal team plays an important role in helping the ICO develop policy across the board, no more so than in the field of international data transfers. As well as publishing its template International Data Transfer Agreement earlier this year, and recently updating its guidance on BCRs, the ICO retains an important consultation role as part of the Government’s adequacy assessments.
Much of the privacy work I did in 2021 and early 2022 was spent advising clients on carrying out transfer impact assessments, and working through the practical and legal difficulties of doing so in a way that is both meaningful and defensible in light of the Schrems II case. This remains a huge challenge for businesses and it’s a challenge that the ICO and supervisory authorities across Europe have also had to face. Following its consultation exercise, the ICO is in the process of finalising its transfer risk assessment tool and guidance – you may have seen this previewed at DPPC 2022. Once published, these documents will enable organisations to take a more proportionate and risk-based approach to these assessments, in line with the requirements contemplated by the draft reforms.
What next?
Whilst the coming months and years promise further change at the ICO, the secondment programme is here to stay. The next cohort of legal secondees start work on 5 September and for those interested in the programme please keep an eye out on the ICO website for future secondment opportunities.
Meanwhile, the Data Protection team at A&O will continue to monitor the progress of the Data Protection and Digital Information Bill and provide further analysis on the implications in podcasts and blogs as the situation develops.