Need-to-knows about ICO25

The Information Commissioner’s Office laid out its new three-year strategy on 14 July. Here are the key points you need to know if you’re serious about privacy

By Nigel Jones

Co Founder of The Privacy Compliance Hub

July 2022

Who or what is the ICO?

The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. It acts against businesses that breach data protection regulation, but it also funds research and provides guidance to enterprises and other stakeholders about good data practices. ICO priority areas include enabling responsible innovation and working on new responses for artificial intelligence and AdTech. The ICO is 85-90% funded by data protection fees paid by organisations, with other income coming from grants and fines.

What is ICO25?

On 14 July, the Information Commissioner John Edwards launched ICO25, a draft three-year strategy for the ICO. Mr Edwards only started his role in January, and the vision sets out his new plan for the ICO. Titled: “Empowering you through information,” ICO25 is an action plan that describes why the ICO is there, what it wants to achieve, and how it wants to achieve it.  

What are the main objectives of ICO25?

The ICO has four key strategic objectives:

1)    Safeguard and empower people

2)    Empower responsible innovation and sustainable economic growth

3)    Promote openness, transparency and accountability

4)    Continuously develop the ICO’s culture, capability and capacity

Key aims include empowering organisations to invest and innovate responsibly, empowering individuals by promoting transparency, and creating a fairer playing field for organisations who try to do the right thing on data. 

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

What are some of the plans?

Notably the ICO is going to focus its efforts on where it can have the most impact. Key project areas include supporting the most vulnerable communities, work on children’s online privacy, addressing AI-driven discrimination, setting expectations for the use of biometric technologies, influencing the future of online tracking, and an examination of how CCTV is being used, including in care homes. A shake-up of Freedom of Information processes is also promised. 

What does this mean for individuals and businesses?

The ICO wants to make it easier for individuals to see how it is working in the public interest. It will do more to understand the concerns of the diverse UK public, and then use these concerns to drive its priorities. ICO25 aims to lower the cost of regulatory compliance for businesses, and to provide both certainty and flexibility so they can confidently invest in new, responsible innovations that will drive economic growth. A new iAdvice service will allow innovative businesses to seek early clarity about if they are compliant, while binding rulings will provide certainty around the ICO’s position on business practice in advance, rather than after the fact. 

The strategy also outlines a change in tack on dealing with poor privacy practices in the public sector, revising its approach to public sector fines so that money is not diverted away from where people need it most. 

The ICO will do everything to help organisations to comply, but those that don’t will be in trouble. Underlining this point, Edwards said: “I have a message for those who choose not to play by the rules. To those who seek to target and exploit vulnerable communities, who seek an advantage over law-abiding competitors by misusing personal information: you will find yourselves on the receiving end of our most punitive regulatory tools.”

What does the Privacy Compliance Hub think about the plans?

We welcome much of the ICO’s strategy, which strikes us as having a good balance of idealism and pragmatism. The focus on using good information practices to drive economic growth is particularly welcome, as is the publishing of a serious, robust set of KPIs against which ICO activity can be judged. 

However, although ICO25 signifies the ICO’s willingness to listen to sector-specific feedback from organisations, we feel it could have been stronger on how partners, consultants and privacy businesses could work with it to achieve lasting change – particularly as Edwards admitted its resources are limited. Privacy is a huge issue, and as such we need the entire ecosystem working harmoniously together, rather than the current siloed approach. We all have a responsibility to ensure those organisations that process information do so responsibly. 

What’s next?

ICO25 is now out for public consultation. The plan is available online and members of the public and interested parties have been invited to submit feedback anonymously until 22 September. The finalised strategy is expected in the Autumn and we will of course update our customers and followers via the Hub and on our blog and social media channels.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

More to watch and read