The Information Commissioner’s Office (“ICO”) held its annual Data Protection Practitioners’ Conference on 5th May. This year’s event was a virtual conference, attended by more than 3,000 data protection professionals across the United Kingdom (“UK”).
This annual event gives data protection practitioners the opportunity to engage with, and learn from, key stakeholders within the UK’s data protection landscape. It also provides an opportunity for the ICO to share updates on the latest news, guidance and activities it is working on.
We’re a little late in providing an update blog (a sign of just how much has been going on in the wider data protection world!) but there were some interesting updates that we think are worth having on your radar.
With that in mind, here are the key takeaways from this year.
Upcoming cyber security guidance
Data protection and cyber security are intrinsically linked, so, naturally, a portion of the conference was dedicated to the threat of cyber-crime. The ICO shared breach statistics from its office, noting a significant increase in ransomware attacks over the last year.
In response to this increase, the ICO shared that it plans to issue guidance on both ransomware and incident response, to help organisations tackle this looming threat. If you would like to learn more about creating an incident response plan right now, then we have our own guidance on our website.
As well as discussing cyber-crime itself, the ICO emphasised the importance of breach mitigation and related obligations in the UK GDPR. They reinforced that having the right policies and procedures in place can both limit the financial fallout of a breach, as well as limit the likelihood of data loss or theft in the first place. They highlighted, for example, that in the event of a ransomware incident affecting personal data, the ICO will look at the victim organisation’s compliance with its GDPR obligations.
For our view on how to protect your organisation from ransomware, read our blog here.
International data transfers update
The ICO announced that it is finalising a new set of Standard Contractual Clauses (“SCCs”) to enable personal data transfers between the UK and third countries. The ICO will expect to go out to consultation on the UK SCCs in the coming months.
The UK SCCs are separate from the new EU SCCs recently published by the European Commission. The ICO is clear that the new EU SCCs should not be used for transfers to third countries under the UK GDPR – it advised the use of the older EU SCCs until the new UK SCCs are adopted. You can read more about the updates on data transfers in our blog here.
Artificial Intelligence (“AI”) is on the ICO’s radar
The ICO recognises that the pace of innovation today is faster than the regulatory landscape can keep up with – particularly when it comes to AI. They recognise that AI brings both opportunities and concerns. While it can increase the efficiency of data-related services, AI also raises fears in relation to privacy and its potential for bias.
Given these concerns, the ICO announced that AI is one of its top strategic priorities. It pointed to recent work it has published on the subject, such as its “Explainability Guidance”, which aims to help organisations explain the processes, services and decisions delivered or assisted by AI to the individuals affected by them. It also highlighted its toolkit on AI and data protection risk mitigation and management, which it is planning to publish in the summer. This toolkit will help organisations to identify and mitigate the data protection risks associated with AI systems.
Whilst there is no separate regulation for the use of AI in the UK planned, the ICO reiterated its engagement with the recent draft AI regulation from the European Commission, which it recently published a formal response to on its website. The ICO stated that, while this regulation no longer directly applies to the UK due to Brexit, it will inform the UK’s regulatory strategy.
This is because, firstly, many UK businesses that offer AI services interact with EU companies and citizens, meaning the EU’s regulation will apply. Secondly, in the same way that the EU led the regulatory landscape for data protection with the GDPR, they are also doing the same for AI, and it is likely that many other countries could follow the EU’s lead.
A question of data ethics: could versus should
During the conference, the ICO emphasised the importance of following the guiding principles of data ethics to inform decision-making around AI and other emerging technologies. In particular, they referred to the notion of could versus should. In essence, this is the idea that just because an organisation could use personal data, doesn’t mean they necessarily should. If the use of data is deemed a grey area – in that it is being used in a way the user doesn’t expect or could impact customer trust – then the organisation should choose not to.
Data ethics is a complex topic, meaning knowing how to apply the concept of could versus should first relies on a fundamental understanding of accountability and ethical frameworks. A good place to start with this is the ICO’s accountability framework, which helps organisations to understand the lawful basis for, and risks around, data processing.
Interestingly, the ICO has recently taken a step back from its proactive work around data ethics. Back in 2019, the ICO appointed its first data ethics adviser and embarked on consultation and research on the topic. In a recent blog, Simon McDougall, Executive Director – Technology and Innovation at the ICO has stated that the ICO will not be developing its own guidance on the topic and will highlight work which they see as helpful rather than taking the lead.
There are certainly plenty of commentators that think the ICO should focus on enforcing the data protection legal framework as it exists rather than engaging in non-statutory thought leadership on topics including data ethics. Whether this view has prevailed at the ICO is unclear, but it seems we may hear a little less about data ethics from the ICO in the future.
In her welcoming speech, the Information Commissioner, Elizabeth Denham, stated that “data protection had moved from a back-office function to being a career that has a real impact on the world.” This was a theme prevalent throughout the conference: data protection is more than just a compliance obligation; it can be a competitive advantage that enables safe innovation. By prioritising data protection, organisations not only dramatically reduce their risks of compliance fines, but they can build better relationships with partners and customers.
This, of course, was Denham’s last DPPC as Information Commissioner. We don’t know who the new Commissioner will be as of yet, but it’ll be interesting to see how the ICO messaging and priorities change under the new leadership.
If you would like to discuss the content of this blog or want to discuss what your business needs in order to become data protection compliant, we can help. Contact us for a no obligation chat.