The ICO’s New Strategic Plan – A Change Of Course Or Steady As She Goes?

You may have seen that on 25 May, with exactly one year to go until the GDPR takes effect, the Information Commissioner, Elizabeth Denham, published her office’s Information Rights Strategic Plan for 2017- 2021. This might not be headline grabbing stuff but it’s important nevertheless as it sets out how the ICO will be approaching it’s regulatory role over the next few years. There’s no doubt that the ICO is facing choppy waters with GDPR implementation, the uncertainty surrounding  Brexit and the rapid pace of technological change. So does the Strategic Plan represent a change of course for the ICO or is it steady as she goes? There’s certainly no about turn here, which will be welcome news for many, but the Plan does introduce some significant adjustments to the ICO’s direction of travel with the intention of keeping the ICO relevant and responsive as a regulator as the world in which it operates moves on.

Most welcome for many will be the ICO’s on-going commitment to providing advice, guidance and assurance to responsible businesses. Although the ICO is clear that it will use all the powers and tools available to it under the GDPR, including the increased fining power, it is also clear that will target the use of these powers, as it does now,  on cases where public confidence in the processing of personal data is most at risk. Tackling the public challenge of nuisance calls is singled out for special mention so, if the message hasn’t already got through as a result of the recent fines on Flybe and Honda, this is an area where even the most responsible businesses need to take special care to stay within the letter of the law. There is though no suggestion that the ICO will move away, more generally, from its current, risk based approach whereby it targets its enforcement powers on those who are negligent as to their responsibilities and thereby put public trust in the processing of personal data at risk. Encouragingly there is no sign that the ICO sees its future in imposing hefty fines for what many might look on as more technical breaches of the procedural requirements of the GDPR  by the otherwise well intentioned. We can expect more to be revealed on the Commissioner’s approach to enforcement when her promised Regulatory Action Policy is published next year.

So what’s new? There’s an emphasis on creating a culture of accountability in organisations and increasing transparency about how personal data is used. In part this reflects GDPR requirements but it also builds on Elizabeth Denham’s leading work in Canada around privacy management and its relationship with accountability. Perhaps we’ll be seeing more from the ICO in the coming years on how businesses should manage their delivery of good data protection practice as well as the promised ICO guidance on what the GDPR requirements mean in practice. There’s a welcome reference in the Plan to the international dimension of data protection with a commitment to further develop the ICO’s global influence. Of course this is partly a response to Brexit but it also reflects the ever increasing flows of data across borders with the processing of personal data anywhere in the world now capable of impacting on the UK public. In a similar vein there’s a commitment to keep abreast of evolving technology, commissioning research, intensifying work on cyber security and working with technological innovators. In the short term this may be a particular challenge for the ICO given the forthcoming departure of their well respected Group Manager for Technology, Simon Rice but the commitment to technology is nevertheless an important and welcome one.

Are there any shortcomings in the  Plan?  I’m not sure how many readers would agree with the statement in Elizabeth Denham’s opening message that the GDPR, “brings a 21^st century approach to data protection legislation”. Of course, the GDPR is the reality that we are all faced with but I doubt if even Elizabeth Denham truly believes that the way in which the GDPR addresses the regulation of international data transfers can be described as an approach for the 21st century. Also, arguably, the Plan suffers somewhat from addressing both the Commissioner’s data protection role and her freedom of information role under the umbrella of “information rights”. The Commissioner’s role and responsibilities are significantly different under each legislative strand and a plan focussed on data protection alone might have been sharper and have revealed some more specific data protection commitments. There’s little to object to, though, for those who are keen to see a furtherance of effective, proportionate and relevant data protection regulation in the UK. And there’s more to come still. Keep a look out for the promised International Strategy, Technology Strategy, Resource and Infrastructure Strategy and Regulatory Action Policy that will be adding more flesh to this Strategic Plan.