Information Commissioner John Edwards' opening Data Protection Practitioners' Conference 2023 speech, delivered on 3 October 2023.
Check against delivery.
Hello and good morning everyone. I’d like to welcome you to this year’s Data Protection Practitioner’s Conference, or DPPC as we like to call it. It’s great to be here virtually, speaking to so many of you.
I love the autumn. This point in the year always seems to be a time of reflection. A time of new beginnings – the nights start to draw in, the leaves change colour and the schools go back. A time to take stock, look back over the previous 10 months and prepare for a new year and new challenges.
A phrase I heard recently was “you cannot direct the wind, but you can adjust your sails”. That feels relevant to us all in this virtual room today. We all have things that affect our work. Things that we cannot change or account for - the growth of artificial intelligence, the upcoming changes in the legislation, the speed at which technology is advancing.
Change affects us all. The strapline of today’s conference is “empowering you through information”. So, this morning I’d like to give you some information that will empower you and help you to adjust your sails. And show how the ICO is here to help you help yourselves.
--
I’ll start with the strongest winds of change that affect us all, including the ICO. As I mentioned, the pace of change in the technology sector has brought unprecedented innovations and improvements to people’s lives. But it has also brought its own set of challenges and privacy implications.
It’s a positive change, a positive reason for us to adjust our own sails – when we used to host this event in person, we would’ve only had room to accommodate 800 of you.
Today, there are thousands of you.
And we can reach many more after the conference as well, by offering the content on demand via our host platform and through our website. These winds of change allow us to help practitioners do their jobs more efficiently and effectively.
On to one of the biggest transformations that my office has ever seen – artificial intelligence. This time last year, no one would have heard of a little thing called ChatGPT. Fast forward a year, and it’s the fastest growing app ever. It’s ubiquitous, and AI has integrated itself into almost every aspect of our lives. From our work, to our social media, to what we decide to watch on TV: it’s likely that AI plays a part in all of those decisions, often without us realising or noticing.
As a whole-economy regulator, it’s important that we stay ahead of these developments. Organisations need regulatory certainty on where they stand and the public need reassurance that this technology is being designed with people’s personal information rights in mind.
Data protection by design and default – it's one of the key aspects of the legislation.
So, over the past few years we’ve produced guidance for organisations working with biometrics, a look-ahead report on emerging technologies and co-badged guidance with the Alan Turing Institute to help organisations explain decisions made by AI to the people affected. That's how we can help you to help yourselves, which is one of our key aims as a regulator.
This morning we launched our employee monitoring guidance, to help employers understand the data protection implications of using monitoring software. Advances in technology mean that workers may not always be aware that they are being monitored – which is unacceptable. Our guidance will ensure that monitoring is lawful, transparent and fair, with data protection considerations included from the outset.
You’ll hear later from Eva PenzeyMoog who understands where we’re coming from. She will talk about the importance of safety by design. Her work focuses on getting organisations to think about safety from the very beginning, because getting things right from the start helps those most at risk of harm in society.
It’s also important to meet people where they are. If people aren’t aware of their information rights, then they won’t look to exercise them. And if they’re not looking to exercise their rights, then unscrupulous organisations will take advantage of their information and misuse it. That’s why we commissioned a piece of research called Data Lives to find out exactly what the public thought and were concerned about when it came to their personal information.
Our research showed us that people’s stances towards personal information vary, depending on the context and what feels private in a particular moment. For example, we found that there’s no straightforward hierarchy of importance for personal information. Someone’s political views, although technically classed as special category data, can be public knowledge or a private matter depending on their social context.
The research also found that people either overestimated or underestimated the protections that they were given under data protection law. For example, some of the participants talked about not having a choice but to accept cookies to access their favourite websites. Some also believed that organisations can do what they like with people’s data.
We’ve explored how people feel about privacy, harms and benefits of data sharing in the here and now, but also how they feel about the future. This insight will help us to put the views of the public into the heart of our decision making, whether it is around our policy making, our live services, our communications or how we prioritise our work. The results of the research will be released later this year, and I’d encourage you all to look out for it.
This research speaks to the very core of what the ICO is about – empowering you through information. We’re empowering you, as data protection and freedom of information practitioners, to truly understand your customers.
--
So, we may not be able to direct the wind. But how are we, at the ICO, adjusting our sails to ensure that we remain committed to delivering for you amidst the change?
During my listening tour, you told me that subject access requests were one of the biggest issues that data protection practitioners were facing. You had large backlogs, low staff awareness of policies and processes, and a lack of time to devote specifically to improving practices. We wanted to help you with this as much as we could.
So, we’ve created a subject access request tool. It’s designed to make it easier for people to submit a SAR by ensuring that they provide all relevant information when they’re making their request. By guiding them through the process, we’re making your job easier and more efficient. We're making sure all the necessary I’s have been dotted and T’s crossed.
Another of our key transformations is the savings that our plan can deliver for businesses. And we’re already seeing the benefits of that. For example, the guidance on direct marketing that we produced for small businesses is estimated to have saved them more than £100 each.
There’s a significant proportion of you here right now. The time you would’ve spent reading our full direct marketing guidance is time that you can better spend on improving your offering to customers. This is the start of a transformation in the way we approach regulation. And it’s how we’re helping you to help yourselves, helping you to adjust your own sails to deal with the changes coming down the track.
We’re also working more closely with Whitehall and government. We are ensuring that they’re leading from the front in terms of their data protection performance, sharing good practice and learning lessons from each other. We wanted governmental departments to deliver improved services for their customers. That’s why we created a cross-Whitehall group of senior leaders, all pushing for greater data protection compliance.
Another way in which we’ve transformed our approach to regulation since I last spoke to you all is through our regulatory risk review project. Now this may sound technical and corporate, but it’s incredibly helpful for understanding where we are now, where we want to get to, and how we can get there. It provides a blueprint for how we can achieve our target operating model by 2025.
Why am I mentioning this? It allows us as the regulator to lead by example, and show that it’s never too late to adjust and adapt the way you approach your work. We all had to make adjustments in the run-up to the GDPR. The run-up to the DPDI Bill’s implementation is no different.
By undertaking our regulatory review now, we will be in a much better position to adjust and adapt to the Bill’s arrival. You’ll find out more about the government’s plans for data protection in James Snook’s presentation later this morning.
For us, some of the key things that we’re focusing on in our review include our end-to-end investigatory process. We looked at whether it could be tightened up or refined to make the best use of our resources, enabling us to deliver effective and efficient regulatory action. We’ve identified some of the reasons for significant delays that occur in our investigations, such as over-resourcing lower-level regulatory activity. We’re working to resolve those so we can be more agile and responsive to emerging issues and stop or punish harmful practices more effectively.
As part of our regulatory review, we’re consulting on our draft guidance for when we issue penalties under data protection legislation. We looked at the process that we go through when calculating the fine. That draft guidance was published yesterday, and it provides an insight into how we reach our most important decisions as a regulator. It explains when, how and why we would issue a fine for a breach of the UK GDPR or DPA 2018. It provides much-needed certainty and clarity for organisations. It’s out for consultation, so let us know what you think via our website.
I’d also like to add in a nod to our freedom of information work, given that this year’s conference caters for those who also have to wear an FOI hat during your day-to-day work. We’ve published our internal training videos for FOI and EIR to help you refresh your knowledge. We created a toolkit for you to assess your current performance and work out how to improve. And we published case studies to highlight and celebrate good practice.
We understand that some of you may have to juggle FOI with other priorities and work. So, we’ve also created a short, free guide to FOI in 90 seconds to help staff get up to speed quickly when faced with an FOI request. This will give everyone in your organisation a basic knowledge and understanding of FOI.
Our three-year plan is ambitious, with ambitious projects. But ultimately it will make us a better regulator, delivering for the organisations we regulate and the people we protect. So it’s worth it in my book. Watch this space to see how this transformation takes place. And if you’re interested in our approach to this, we’ll be covering this in our ICO panel session later on this morning.
--
So, to the final transformation. As I alluded to before, this is the upcoming changes to the data protection legislation through the DPDI Bill.
We’ve said before that the bill is an evolution, not a revolution. It doesn’t replace or rip up the previous legislation. Rather, it amends and builds on it. It allows the ICO to retain our independence and protect people’s rights and freedoms. It also encourages growth and innovation for organisations through greater regulatory certainty. It’s a logical next step, allowing us to regulate more efficiently and effectively in the modern world.
The bill introduces more flexibility for businesses, which should make it easier for organisations processing personal information. The bill emphasises accountability and ensures that it remains at the heart of working with people’s information.
Having an effective, flexible and modern data protection legislation as a foundation will empower organisations to use, share and innovate with personal information responsibly and within the proper guardrails.
Our role under the bill remains the same. We are here to help you help yourselves, to reduce the costs to businesses in complying with the legislation. We will continue to deliver guidance and support to reduce the burdens on businesses. And I’m here to offer some reassurance as well – possibly the biggest change to the legislation is something that you won’t even notice. And that’s the change to us, from the Information Commissioner’s Office to the Information Commission, moving to a board model of leadership.
However, nothing about these changes will affect our independence as a regulator.
We’re affected by the changes as well. We’re having to make adjustments to our own sails to ensure we can continue to provide effective support and strong regulation to the organisations we regulate and the people we protect.
But I’d like to end by offering you all a promise – if you stick with us, if you come to us when you’re unsure or worried about what the changes mean for you and your organisations, then we will help you.
We will empower you and provide the certainty you need in the face of uncertainty. We’ll provide guidance, support, events like these, webinars, examples of good practice, a forum for you to share ideas and advice, training and more to help you to help yourselves.
This applies whether you’re a sole trader, a small business owner, an FOI practitioner for a local council or a DPO for a multi-national company.
We’re here to empower you through information.--
I’ll draw to a close there. As you heard from our excellent compère Andrew, you’ve got an exciting agenda ahead of you and I can tell you just want to get started. So, please stick around for the full day. I can guarantee you’ll learn something new, be challenged and be inspired.
Thank you for listening and enjoy your day!