Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

The COVID-19 pandemic has changed work for so many of us around the world; forcing innovation and new ways of working. And that’s just as true for regulators – we’ve had to adapt to develop new ways to support organisations.

The Innovation Hub participated in the Financial Conduct Authority’s (FCA) Virtual Women’s Economic Empowerment TechSprint, providing advice and expertise on real life applications of data protection law. As this was a virtual cross-regulatory TechSprint, there were a host of novel challenges. For instance; how do you replicate the informal conversations you have from coming in to physical contact with other participants at the event? And how do you ensure participants are aware that they can reach out to you for advice? We quickly worked out we needed to be flexible and proactive in our approach so that we made each conversation relevant to the individual participant and their proposal.

However, whilst there were new practical challenges, we found that there were themes in the data protection queries we encountered. It became clear that teams and organisations won’t always know specifically what they need support with. They knew they needed to factor in compliance with data protection legislation to their solution development, but were unsure where to start. That’s why involving data protection specialists from the outset is so crucial. We were able to point out and help work through challenges that teams hadn’t yet thought about and prevent barriers further down the line. We also provided useful resources like the ICO Innovation Hub’s ten top tips for innovators.

Overall, we found three common issues for many of the teams during the week. These areas are key for anyone looking to innovate with personal data.

  1. Build in accountability

Teams required advice on their obligations under the accountability principle of the UK GDPR and advice on how they could comply. Adopting a data protection by design approach from the outset and carrying out data protection impact assessments for high risk processing operations are key. If you’re not sure, our guidance on DPIAs is a great place to start.

  1. Personal data vs special category data

Many teams’ solutions potentially involved the processing of special category data. It’s vital to be aware of the general prohibition of the processing of special category data under the UK GDPR unless an Article 9 condition for processing applies. This is in addition to identifying an applicable lawful basis for processing under Article 6.

  1. It’s not all about consent

Some teams assumed that consent would be the most applicable Article 6 lawful basis for their solution. Consent must be freely given meaning that consent requests need to be separate from other terms and conditions. There are also issues around the freely given nature of consent given by vulnerable individuals, for example those under duress. Other lawful bases such as legitimate interests may be more appropriate depending on the proposed solution. Our lawful basis tool will help you if you’re unsure.

The ICO Innovation Hub seeks to collaborate with other;

  • regulators,
  • catapults, and
  • public-private innovation partnerships

on initiatives that help bring about innovation. The Hub provides expert advice to participants of these initiatives to help them build data protection compliance into their products at an early stage.

The ICO Innovation Hub is interested in collaborating with other organisations and businesses. If you are planning an event aiming to promote innovation that will involve solutions using personal data and think that we could support you then please email hub@ico.org.uk.

Nick Patterson is a Senior Policy Officer in the Innovation Hub. The Innovation Hub works with regulators, catapults and public-private innovation partnerships on initiatives that help bring about innovation. They provide expert advice and ensure data protection compliance is built into projects at an early stage.