Information Commissioner John Edwards' opening Data Protection Practitioners' Conference 2022 speech, delivered on 19th July 2022.
It is a pleasure to be speaking with you today.
We had 4,000 sign up for today, and we already have 2,000 with us. I should be intimidated by those numbers, and feeling nervous, but I don’t. I feel like I am among my own people. I’ve done what you do, I share your quirky obsession with privacy and data protection.
I’ve been doing this work for over 30 years. When I first started practicing law, I advertised as “specialising in Information Law”. I don’t think anyone else in the world described themselves in that way at that time, so it’s no wonder no one knew what the hell I was talking about.
I came to my first Privacy Law and Business conference in Cambridge in 1995. I was invited to attend this event in 2020, when I was supposed to be delivering the keynote as New Zealand Commissioner, but the pandemic put paid to that along with so much else.
Anyway, that is a long winded way of saying how wonderful it is to be here as your Information Commissioner, and to be able to bring this UK data protection community together in this way.
I want to talk this morning about my plans for the ICO and how they might affect you.
I’ll talk a little about DP reform.
I’ll set out why I think data protection practitioners have never been more important.
And I’ll also shoe-horn in a few Fleetwood Mac references.
What’s that about? Well last September, I appeared before a Parliamentary Select Committee. It was the final stage of the interview process for the role of Commissioner.
I had prepared my brightest ideas and detailed analysis of the privacy and transparency worlds. But the line that most seemed to stick with MPs and commentators that day was when I quoted Fleetwood Mac. I suggested that the UK could ‘go your own way’, with a new DP law and approach in the UK, that sat outside of the EU GDPR, and that seemed to engage the audience.
If I was going to have the early part of my time here as Commissioner defined by music, I might have thought more carefully. Perhaps a song by the Fall or Joy Division – maybe She’s Lost Control (of her data). But I could have done worse than Fleetwood Mac.
And crucially, I learned that day that the British love a musical reference. And so I’ll be repeating that trick today.
I certainly stand by the ‘go your own way’ point.
The GDPR is not beyond improvement. And the proposed DP reforms, which were laid before Parliament yesterday, strike a good balance in making improvements. The Bill reflects an understanding that there are areas of red tape for business that can be reduced, while acknowledging the value of protections that give people confidence to use the products and services that power the economy and society.
There’s still detail to be finessed within the Bill, of course, but it is clear that the UK can go its own way.
And so can the ICO.
I know a lot of you will have followed the announcement of our ICO25 plan last week closely. I set out a vision of the ICO I want you to see in 2025. And we published a plan of how we can get there.
I spoke about the ICO being a regulator who empowers.
Empowering people to confidently share their information to use the products and services that drive our economy and society.
Empowering organisations to use information responsibly and confidently to invest and innovate.
And empowering people to hold government to account, driving transparency that helps us all better trust in the decisions taken by public bodies.
ICO25 is a clear plan of how we achieve that. It sets out our priorities, the work we will focus on, and the work we’ll set aside to free up the capacity we need to make a difference.
If you haven’t seen our report, I’d urge you to take the time to read and absorb it. It is a plan informed by this community, and we want you to help us further by contributing to our consultation. Don’t stop sharing your feedback.
One of my priorities when I joined as Commissioner was to meet people and better understand what challenges you faced, and what I could do to help. I hope that those of you who contributed in some way, whether meeting me or my team or filling in our survey, recognise some of your thoughts in the ICO25 report we have published.
To give an example, people told me about the value of the ICO’s advice and guidance, but others wanted to see improvements. I particularly recall speaking with people in Edinburgh and Belfast who wanted more templates, case studies, checklists and the like.
So that’s what we’re going to produce. Our action plan sets out an intention to publish more tools, create a database of recommendations made following complaints, and publish our own training – more on that in a moment. And we’ll produce a ‘guidance pipeline’ too, to give you clarity of what support you can expect to see in the near future.
Likewise, you said the ICO could do more to connect DPOs with other members of the DPO community, to share expertise and experience. I hope the networking aspect we’ve added to this year’s conference acts as a first step in that direction. We’re establishing a Cross-Whitehall Senior Leadership Group to drive standards across government. And you’ll see in the ICO25 report our commitment to create a forum for organisations to discuss and debate compliance and best practice.
And many of you across the UK raised the time it takes us to resolve complaints – you wanted a quicker process, and clearer timelines around our handling. I hope you see that reflected in the ICO25 report, and the performance standards we are proposing.
I’ve talked so far about the ICO – how we’re listening, how we’re changing the support we provide. So let me shift now to you. The data protection professional.
Let me start by saying that rumours of your demise are overstated.
On my listening tour, I heard concern from some that changing the legal requirement for a DPO, as the proposed reforms do, makes your role less important. I don’t see it that way at all. Understanding data protection remains a fundamental part of any modern organisation. Understanding not only what the law says, but also what that means in practice, and how it relates to your customers, staff and stakeholders, remains a specialist job.
The privacy professional is the eyes and ears of an organisation in that respect.
You are the ones who best understand what any innovation around data will mean to customers.
There’s no substitute for that, and from what I’ve seen, this community is serving the UK exceptionally well. And I have seen from the listening tour the amplification effect and value of various DPO networks in sharing knowledge and making efficiencies.
One area where we could improve – and I include myself and my office here – is whether we are listening to all customers.
We have a tendency in privacy to talk about ‘people’. “What do people think if we use their data in this way?”, “How shall we let people know about this change?”.
But the reality is that lots of groups, with very different views and needs, make up any audience. Think of yourselves. You’re a data protection professional. But you may also be a parent. A member of a sports club. Someone with a specific health need. A consumer of mental health services.
If we’re going to bring the benefits of data driven innovation to all, then we must involve all in the conversations we are having. We need to make sure more people are aware of their rights. And we need to be listening to the challenges that all communities face.
I think this will be one of the great areas of focus for our profession in the coming years, and there’s more on the role my office will play in the ICO25 plan.
Also in that plan is how we will make your work easier and more effective. That’s the driving force behind our plans for the coming years. I’ve challenged my team to save business at least £100 million across the next three years.
What that means in practice is the ICO making the lives of data protection practitioners easier. Offering greater certainty in what the law requires, coupled with a predictable approach to enforcement action, that allows businesses to invest and innovate with confidence.
And flexibility to reduce the cost of compliance.
The training materials we’re publishing on our website today are a case in point.
At the ICO, we need our staff to be expert in what the law says. And so when new staff join, they’re signed up to training on the laws we regulate.
That training is great. It is written by subject experts, to enable more subject experts.
But the community of subject experts outside of the ICO needs to be bigger than ever. And so we’re publishing our materials for everyone to use.
This will help you, as you train new staff. So why don’t you go to our website, click on that link, and email the training modules to everyone in your organisation. Encourage them to find an hour or two over the coming sunny weeks to improve their expertise.
The information is all there on our website, at ico.org.uk/training.
It’ll help your organisation. But crucially, more data protection experts means more people safeguarding and empowering people, by upholding their rights. The chain continues.
I’ll draw to a close there.
I hope that setting out my hopes and dreams for the future of the ICO has inspired and encouraged you.
I hope you’ve enjoyed the multiple Fleetwood Mac references – I never managed to fit in a reference to Tusk, despite my best efforts.
And I hope that in the fantastic agenda you have ahead of you today, you recognise the kind of practical advice and support that I’ve spoken about the ICO providing across the coming years.