Hello, thanks for having me here today. This event is one that the Information Commissioner’s Office has spoken at for a few years now. I spoke here last year, six months into my post, which was a great opportunity for me to get across some of my early thinking on our regulatory position. This year, I’d like to focus on the ICO’s regulatory philosophy and how we’re both empowering businesses in the finance sector and protecting the millions of consumers that rely on these services.
To start, thanks to City and Financial Global for setting up the event – the agenda is packed with interesting speakers across the day, and I hope everyone enjoys the diverse range of topics and events.
Now, I’m sure many of you will be aware of the Information Commissioner’s Office. There are a lot of links between the financial sector and data protection, and we understand and appreciate the fundamental role that people’s personal information plays in financial services. For those of you who aren’t as familiar with our work, a quick highlights reel – the ICO is the UK’s data protection regulator, and we are responsible for making sure organisations can create innovative, exciting products and services whilst still ensuring the protection and safeguarding of people’s personal information. Our mission statement, and the words that we at the ICO adhere to in all aspects of our work, is to empower you through information.
When it comes to the financial services sector, we understand that your work relies heavily on being able to use and exchange personal data. It’s essential to the effective and efficient operation of your sector. For example, its commonplace to use personal data to assess someone’s suitability for a loan or a credit card, and how much they pay for insurance. You work with people’s personal information every day, and it’s important that you know how we can help you with that.
The ICO is a whole economy regulator and understands that there’s a balance to be struck between empowering the public to share their information with confidence whilst supporting organisations to use this information responsibly, proportionately and safely. It’s one of our key objectives as part of our three-year strategy, ICO25.
Regulatory cooperation is also one of our ICO25 objectives, as working collaboratively and cooperatively will maximise our effectiveness. For example, being part of the Digital Regulation Cooperation Forum, or DRCF, has enabled us to work closely with regulators: the Financial Conduct Authority, Competition and Markets Authority and Ofcom. I became chair of the DRCF last year, and our new workplan was published last month. One of the projects the ICO is focusing on is a with the FCA on digital assets (a topic on your agenda today). We’ll work together with them to build a deeper shared understanding of consumer experiences with digital assets and the distributed ledger technology that underpins them, focusing on the potential benefits and harms to consumers.
Another key focus for next year will involve researching and piloting a multi-agency advice service for digital innovators, including fintech companies, made possible by a grant from the Regulators’ Pioneer Fund. This work will help us build our understanding of the format and scope of regulatory services that best suit innovators’ needs.
The interaction of our work with the financial services sector and efforts to drive better outcomes for the UK public doesn’t stop there. Firms have told us that direct marketing rules under the Privacy and Electronic Communications Regulations (PECR) interact with new FCA Consumer Duty requirements to provide communications that support consumers to make informed decisions. We’ve published guidance on sending communications required by a statutory regulator, to help provide greater certainty on how to deliver important messages to consumers, while remaining compliant with direct marketing rules. We will continue to look for ways to help the sector get data protection right when supporting people – especially people in vulnerable situations and those affected by the cost of living crisis.
Of course, we understand that, given the prevalence of personal data in the financial services sector and its importance to your business activities, you may have an interest in the reintroduction of the Data Protection and Digital Information Bill. Since the Bill’s first draft, we have been heavily involved, providing responses to the government’s consultation on the bill and working closely with the government through their redrafting process.
We also recognise that our continued adequacy status is of interest to the sector. The government have confirmed its continued commitment to retaining adequacy, and I remain confident that there is nothing in the bill that risks our adequacy status. I spoke at a select committee on the bill last week, and reiterated our position of supporting the bill’s ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights.
We want to work collaboratively and constructively with you to improve standards and provide benefits for the whole sector. We want to help you do the right thing and look after your customers’ information.
As I mentioned before, we’re here to empower you through information. And that includes empowering you to innovate, particularly if it results in benefits for your customers. We do this in a few ways, which I’ll explain in turn.
Our advice and guidance. We provide detailed, specific advice for organisations of all sizes on their data protection obligations. We have sector-specific and law-specific guidance, for example, our guidance on direct marketing and our guide to processing data for law enforcement purposes.
Our Innovation Advice service and sandbox. For organisations who want tailored, specific, detailed advice from the regulator, we offer a bespoke service to help you, whether that’s a simple question or whether you’d like our support for the duration of your innovative project. Our Innovation Advice service, which is still in its beta phase, offers fast, frank data protection advice for one-off queries or specific data protection issues that you may come up against when creating your product or service. Our turnaround time for this service is 10 to 15 working days, allowing you to get the answers you need quickly and then continue with development.
Our sandbox scheme offers a longer-term, collaborative relationship with ICO experts for up to six months, with you testing and developing your product or service in line with our steers, in a safe environment to ensure data protection compliance. We would be on hand to offer support and answer queries where necessary.
Our sandbox is already supporting work in the financial services sector. In a project facilitated by the Home Office and UK Finance, we’re working with a number of high-profile banks in a data sharing pilot. At present, current financial crime legislation allows institutions to share certain information to address financial crime risk. This pilot proposes to share the personal data of customers who pose a risk of financial crime, in a peer-to-peer way amongst the participating banks. If successful, this will reduce the cost and impact caused by financial crime to the UK’s economy and its citizens. However, the ICO is there to ensure the law is followed, and the appropriate data privacy mitigations are implemented.
One area of innovation I’m sure will get discussed a lot today is the use of AI in financial services. A 2022 FCA and Bank of England report highlighted some prominent AI use-cases that could involve some processing of personal data. These included its use for determining insurance premiums, assessing the likelihood of consumer arrears and default on a loan, and detecting fraud.
Generative AI has exploded into a whole range of areas of business and life and presents opportunities and challenges.
Rapid development and deployment of this technology requires regulators to examine the emerging risks and opportunities it can create. While AI technology and its potential uses are novel, data protection principles and the need to respect people’s privacy stay the same. Businesses across the economy – including financial services – need to be thinking carefully about how their legal obligations apply when deploying AI, so risks to people are mitigated, and harm is avoided. For example, you are accountable for considering:
- What is your lawful basis for processing?
- How will you ensure processing is fair and transparent?
- How will people’s rights under Article 22 of UKGDPR related to automated decision-making be upheld – for example their right to request human intervention or to challenge a decision?
There is no excuse for reckless innovation that puts people at risk of harm. Innovation needs to be done responsibly. We expect, and require, financial services firms to be considering all of their data protection obligations from the outset and to take a data protection by design and default approach. This isn’t optional – if you’re processing personal data, it’s the law.
I’ve talked a lot about how the ICO can assist you to meet your business objectives. You can take or leave those offers, but if you choose to ignore our advice, and to take unreasonable risks with data, or ride roughshod over people’s rights, there will be consequences.
Financial services consistently top the charts regarding complaints members of the public make to us about businesses. Last year, 11% of our complaints cases related to your sector, with the bulk of these – 40% – relating to subject access requests made under Article 15 of the UKGDPR.
So go off and innovate away, but don’t forget the importance getting the basics right.
Things like unsolicited marketing emails, which we’ve investigated in the sector.
Things like data security. We recently issued a reprimand to an online trading services provider, Gain Capital UK, after an unauthorised third party gained access to its systems. The result was 72,361 UK data subjects being affected. 17.92 GB of data was extracted, and this all included bank account numbers, sort codes, as well as names and email addresses. And if a financial services company can’t keep its systems secure, who is going to trust it with their business, and money?
I’ve talked about issuing reprimands, and recommendations for improvement, but let me be clear: if we investigate, and find evidence of egregious or significant harm, we can and will impose a fine which could be up to 4% of your total annual global turnover.
I hope that’s given you a bit of an idea about how the ICO is working to reduce regulatory burdens, increase regulatory certainty, empower you to be innovative, and ensure you are respecting and protecting your customers’ information. If you’re interested in applying to join our sandbox or if you need help from our Innovation Advice service, please visit our website for more information. There’s also information on our website about the DRCF and our joint priorities for the next year, so please take a look at that if you’d like to know the direction of travel for our regulatory cooperation work. Thank you. I’m happy to stay here for a few questions.