John Edwards' opening speech at DPPC 2025

Kia ora koutou, hello and welcome to the ICO’s annual conference, the Data Protection Practitioners’ Conference. 

You’ve got a packed agenda ahead of you, full of practical insights from both guest speakers and ICO experts.  

It’s also Ada Lovelace Day today, where we celebrate the achievements of women in science, technology, engineering and maths. A fitting day, then, to hear from our keynote speaker Ivana Bartoletti, co-founder of the Women Leading in AI network and expert in all things AI, privacy and trust. 

Before that, you’ll have another opportunity to quiz me. If there is anything you would like to ask, please submit your question via this platform and we’ll pick a selection.

Thank you to everyone who submitted a question in advance and apologies if we don’t get round to answering all the questions that come in during the session. 

 

Thinking back to this time last year, had you heard of Scattered Spider or ShinyHunters? AI hallucinations, and Agentic AI?

When did you first hear about ChatGPT? Nearly 10 per cent of the world’s adult population is now thought to use it and more than half the people in the UK have used or regularly use a chatbot or LLM.

The current pace of change feels unprecedented. 2025 has been a year of new legislation, novel innovations and unique challenges, all of which impact our work.

Agility has never been more important. We can’t predict what change comes next, but we can all control how we react and adapt. This means striving to update our skills and knowledge and being able to shift priorities or test different approaches.  

My office has responded at speed to the Data (Use and Access) Act and its changes to the law. This will be the last DPPC we deliver as the ICO.
From April, we will be the Information Commission. But don’t worry, you will still get to enjoy this conference next year. 

In fact, you shouldn’t notice much difference as we transition to our new governance structure. We’ll still be here to help you, providing the same certainty and support via our guidance, advice and services. 

You will have started to see our new DUAA guidance that explains exactly what the changes mean for your organisation. Our teams are working hard to get the most important guidance out as quickly as possible - such as on international data transfers and automated decision making. 

We have consultations open until the end of the month on complaints and recognised legitimate interests, so please do share your views and help shape our guidance. 

By providing this certainty up front, we can help you get it right from the start. We must ensure the correct guardrails are in place so organisations can invest, innovate and grow by using personal information responsibly. But it’s our job to also remain agile, pivoting between trends and challenges that require careful scrutiny.  

Over the past year, the ICO has been using all the regulatory tools available to us - producing guidance and advice, engaging with companies, conducting audits, taking enforcement action with fines, reprimands and warnings, and leading criminal prosecutions. 

This has led to a raft of positive and timely outcomes for the public, whether that’s making the online world safer for young people with our Children’s Code, securing assurances from police forces on facial recognition technology or ensuring tech companies address our concerns before launching new products and services in the UK. 

As the Freedom of Information Act reaches twenty, we continue to drive meaningful improvements in transparency from public authorities, including water companies. 

If you follow our work closely, you’ll be aware of our focus on AI, biometrics and other emerging technologies this year. If used responsibly and with proper oversight, AI has huge potential to improve how we do our jobs and meet the public’s needs.

Only yesterday, the Government launched its new initiative to upskill all civil servants with AI training. We’re adopting a similar approach at the ICO too, looking at how AI and automation can support our processes and improve the services we provide.

Businesses also need to be agile to respond to the growing threat of cyber crime. Recent headlines are a timely reminder that cyber attacks can happen to any organisation. They can happen to yours too. You are already a target – you can’t change that. What you can change is the likelihood that an attack will succeed.

DPOs are often not responsible or solely responsible for cybersecurity. But it is more important than it has ever been for you to be working hand in glove with your information security teams. Why not seek them out after today? 

Ask them some practical questions: have we deployed multi-factor authentication everywhere it is available, or at least at the parts of the organisation with greatest access rights? Are we scanning for vulnerabilities regularly and comprehensively? Have we installed the latest security patch? Do we have metering to monitor data outflows? Can I get a regular update from our Chief Information Security Officer? What about the basics? Have we enrolled for the NCSC’s Cyber Essentials?

You will soon get a sense of whether your organisation has invested in the fundamentals, or whether this needs to be an immediate priority.   

Take a look at some of our action too - such as our fines to software provider Advanced and genetics company 23andMe. Instead of waiting for hackers to strike, think about what your organisation can be doing differently.

Cyber attacks are not just ransomware or brute force attacks. Many incidents are a result of social engineering and the insider threat. Your systems and processes may be locked down, but criminals can still trick your most astute employee into handing over valuable credentials.  

When was the last time you conducted a penetration test? Or tested your staff with a phishing email? You need to be getting these assurances and addressing vulnerabilities before they can harm your business and your customers. If you need advice on how to shore up your defences against social engineering, we have an expert panel on hand this morning. 

Let’s pause for a minute. I’ve spoken about the Data (Use and Access) Act, ChatGPT, cyber crime, and the agility we need to respond. But at the core, the answers to so many data protection questions lie in thinking about people. 

It’s about building public trust in your organisation and your approach to both responsible innovation and protecting privacy. People need to feel confident to share their personal information with you, knowing that you will keep it safe.   

This was central to our work on how data breaches can have a devastating ripple effect across someone’s life. We’ve been urging organisations to reconsider how they approach data breaches, arming them with practical tips and tools to respond with empathy.  

We’ve also been tackling nuisance calls, which can be distressing for elderly and vulnerable people who may struggle to discern genuine calls from those made by predatory companies. We recently warned the public to be on their guard against the rise of ‘robo calls,’ after fining two energy firms over half a million pounds for unsolicited marketing calls. 

We’re now looking at how we can change how organisations handle the records of people in the care system. This is more than a request for personal information. These are people asking to see their own biography – their own story – that is being looked after by someone else. It can be a deeply personal, yet often traumatic experience if confronted with cold bureaucracy or pages of unexplained redactions. We want to help unlock this process, which you’ll hear more about in the coming months.  

All our work must put people first - we’ve built today’s agenda with this in mind. I know I don’t need to tell this audience how data protection can truly affect people’s lives. It has never been about computers or robots. This is the same now as it was in 1984 when the ICO was founded, regardless of whether you’re dealing with someone’s records in a filing cabinet or training an AI chatbot with their data. 

That’s the takeaway for you today – if your organisation can adapt to change and evolve responsibly while keeping people at the heart, you shouldn’t go far wrong. 

I hope you enjoy the rest of the day. We’re disappointed that we can’t offer closed captions on the platform today, as we want our events to be as accessible as possible. If you need them, I hope you will be able to use alternative services built in to your browser to enjoy the day.  

Whether it’s your first time or you’re a regular, there will be something for you. Your feedback really helps us shape this event, so please take the time to fill in the polls after each session. Last year, 85% of you said you'd learned something new. Let's make it a full house this year.

And now, time for questions.