Bring down the burden or cost of compliance
Businesses and organisations should be able to use the regulator to access a wealth of knowledge. In particular, giving them simple ways to comply easily and proportionately with the law. To do this, we need to amplify our own work to help businesses learn from the experiences of others. This is particularly important for small- and medium-sized businesses who do not always have easy access to data protection expertise. We believe organisations benefit from the regulator sharing good practice examples, to help provide regulatory certainty and reduce the cost of compliance.
We will invest centrally in a series of services, tools and initiatives so organisations can benefit from the advice and support of the regulator when planning, innovating and managing information risk. Organisations will be able to select tools and products that are proportionate to their use of information.
We will act as a ‘hub’ for good information rights practice, so organisations can access real-life examples of what the law requires and what good looks like. These services will be accessible and, wherever proportionate, digital by default and based on self-service principles. They will utilise AI and robotic processing to increase the value we offer for the statutory charge which funds our work.
To do this, we will:
- publish our internal data protection and freedom of information training materials on our website for reuse by the organisations we regulate;
- create a database where we publish all our ‘one-off’ pieces of advice to organisations and the public in anonymous and reusable form;
- create a database where we publish our recommendations made following complaints, investigations or audits,including both examples of improved practice and best or good practice. We will publish these materials as a series of anonymous case studies that are searchable and reusable;
- produce a range of off-the-shelf products or templates to help organisations develop their own proportionate accountability or privacy management programmes based on freely-available, scalable tools and products provided by us;
- create, host and moderate a forum for organisations to discuss and debate compliance questions and standards online, bringing together experts; and
- bring together businesses and organisations to learn and share with us and each other through our Data Protection Practitioners’ Conference and other stakeholder engagement events. We will increase access and reduce costs by holding them virtually where our objectives are best met this way.
Provide assured regulatory advice
Early assured advice and support from the regulator when developing new business models, products and services will provide regulatory certainty for organisations and enable investment. Providing clarity to businesses about the baseline standards expected will also help them to gain a competitive advantage. This will differentiate them from other businesses through demonstrating their commitment to protecting their customers’ information.
We will provide assurance to organisations seeking to innovate. This will enable them to bank on the advice received from the regulator to execute their plans and initiatives with certainty and confidence.
Support innovators – we provide bespoke support to those innovating with personal information, proportionate to the innovation and risks involved. We will introduce Innovation Advice a fast, frank feedback service for innovators, and continue the in-depth innovation support offered by our Regulatory Sandbox and sectoral outreach offered by the Innovation Hub. This will help to reduce time and cost for organisations bringing products to market, with regulatory clarity provided at critical points in the design cycle of products.
Support SMEs – we will produce a range of ‘data essentials’ training and development modules and products specifically aimed at SMEs. This will enable them to publicly demonstrate their capability and commitment to the essential components of responsible data use. This will be based on 10 ‘essentials’ products. Following a pilot during the first year of our ICO25 plan, we will develop these products into a ‘data essentials’ package for SMEs to self-assess their adherence to and share with their stakeholders and customers.
Deliver a programme of codes and certification, working with businesses and sectors to encourage the adoption of codes of conduct and certification schemes tailored to the needs of sectors and enabling organisations to demonstrate their commitment to compliance as a differentiator for customers.
Produce proportionate and transparent guidance to provide regulatory certainty
Being clear about what new guidance and codes we plan to produce and when will provide those we regulate with the opportunity to plan with certainty. Making sure that we reflect stakeholder views and economic impact in our guidance and codes is critical to ensuring they are proportionate. It also means organisations can implement our guidance effectively and understand what it means for them.
Produce and publish a ‘guidance pipeline’ to provide clarity and certainty to stakeholders. This pipeline will include our updated direct marketing and journalism statutory codes, an employment practices hub, guidance on research and subject access requests in law enforcement, guidance on emerging technology such as AI and biometrics and a programme of guidance reviews in response to forthcoming legislative reform.
Produce sector specific guidance by working with representative groups to co-design guidance that provides more tailored and targeted compliance advice using the language and addressing risks most relevant to different industry groups.
Consult with stakeholders through a broad range of activities to gain the widest possible input into the development of our statutory guidance and codes. This includes ensuring input from a wide range of voices, including stakeholder panels, consumer research and engagement and wider consultation, and publishing the results of this work.
Produce impact assessments for our work, where appropriate.
Encourage public sector standards and efficiency
The public sector holds vast amounts of personal information about UK citizens, including some of the most sensitive and confidential information about us all, such as healthcare, financial and demographic data. Often people don’t have a choice about using public services, and they must share their information to access services, support, financial benefits or to comply with the law.
The public sector is also facing a challenging time in terms of resourcing and funding, and, even in this context, it is important that high standards are maintained. The post Covid-19 world offers an opportunity to build on some of the gains made during the pandemic in terms of innovative uses of information to improve public service delivery and maximise value for money and efficiency.
Form a Cross-Whitehall Senior Leadership Group to drive compliance and high standards on information. We will work with Government to influence high standards of data protection and to promote good information practices, meeting the framework set out by the National Data Strategy for how Government wants to work.
We will work with the Government to provide our expert advice, to assess and assure compliance and to identify information risk to enable innovation and prevent harm. We will encourage innovative solutions to the challenges facing the public sector and provide clear, consistent and proportionate advice to support the development of new ways of delivering for the public.
Revise approach for public sector fines and enforcement. We recognise that public money is best used to support the delivery of essential services. As such, we will review the approach we take to fining public sector organisations to ensure that, while individuals rights are still protected, money is not being diverted away from where it is needed the most.
Data sharing. We will continue to enable responsible data sharing through the promotion of our code of practice and practical tools to enable organisations to share information to improve services.
Advice and support. We will continue to help public sector organisations, giving in-depth feedback on consultations and impact assessments, as well as providing advice through our helpline and responding to written enquiries.
Deliver timely regulatory interventions
Stakeholders need to have confidence that the regulator will produce outcomes in a timely and responsive way. The longer it takes for us to respond to complaints, provide advice or deal with requests for information, the harder it is for organisations to understand what is required of them and for individuals to exercise their rights effectively. Organisations also need to know the outcomes of our investigations quickly, to allow them to plan and to reduce uncertainty for their stakeholders and customers. Equally, those who raise concerns with us should expect a timely response to their complaints.
The ICO also works in a rapidly changing external environment and many of the issues business, Government and the public sector expect us to respond to are fast-moving and require a multi-disciplinary approach. We need to be able to respond rapidly and with agility to new and emerging regulatory risks and opportunities.
Public service delivery – we will ensure all our operational caseloads are within our published service standards by 31 March 2023. To do this, we will clear all our operational backlogs and ensure we are consistently meeting, and in many cases exceeding, our present service standards. This will be a collective effort involving all ICO colleagues. Once complete, we will capitalise on the breadth of skills this will promote and introduce a resource model to enable us to continue to respond flexibly to unforeseen peaks in demand. Once we’ve achieved our current service standards, we will review them ahead of 2023/24 for opportunities to continuously improve.
Investigations – we will deliver the outcomes of our investigations quicker and be more transparent about the time it will take to reach certain milestones in our investigations.
Be more transparent about what regulatory action we are taking and why. We will continue with investigations for no longer than necessary to achieve the desired result, and then refocus our resources elsewhere.
Introduce Pace teams for our discretionary regulatory work. It will be based on taking an agile approach and will use multi-disciplinary project teams to research and, where necessary, make a proportionate regulatory intervention. It will operate within defined time, cost and scope parameters. We will continue to identify potential or actual regulatory risks and opportunities using our strategic assessment and risk methodology. We will be transparent about what work these teams will be doing and will publish timescales in which we expect them to complete and report on their work.
Understand and respond to emerging technologies and trends – we will identify key issues that will influence the way that personal data is used. We will focus our efforts on areas such as the regulation of biometrics, facial recognition technology and the use of AI and algorithms and health data. We also recognise that privacy-enhancing technologies can facilitate safe, legal and economically beneficial data sharing. Our tools will make it simpler for organisations to use privacy-enhancing technologies to reduce data protection risks. Working with other digital regulators, we will clearly set out our views on emerging technologies to reduce burdens on businesses, support innovation and prevent harms.
Enable international data flows through regulatory certainty
Enabling global trade by making the international flow of data as frictionless as possible supports economic growth. It also increases customer trust in how their information is handled and kept safe. Adequacy and Binding Corporate Rules (BCR) assessments will enable UK businesses to easily transfer data to other countries, safe in the knowledge that the regulator has provided assurances about how their customers’ data will be protected overseas.
Adequacy assessments – we provide advice to Government when they assess and determine the adequacy of other countries data protection regimes. We will provide an opinion to Parliament to support their consideration of draft regulations as they are laid. Adequacy regulations allow businesses and law enforcement agencies to send personal information to these countries, saving them time and money.
BCRs – we will improve the BCR approval process by removing duplication in the application forms and speeding up approval process.
Involvement in legislative reform
We need to ensure the ICO retains an influential voice in the development of any new legislation that has the potential to impact on the organisations we regulate and the remit of the regulator. We can help shape the future of the regulatory regime. This is because of the wealth of experience we have in implementing the law, and our understanding of the challenges organisations face and where improvements can be made.
We also have a unique ability to understand the impact of changes across the broad range of our regulatory responsibilities. Understanding the changes that are proposed will help us prepare businesses and organisations effectively, to reduce transition costs and any friction resulting from changes in the regulatory regime. Engaging with the legislative reform process will enable us to give proportionate and helpful advice in the future on how to comply and what changes mean for those we regulate and for the public.
Timely and impactful advice – we will continue to invest in proportionate resources to provide timely and impactful advice to Government as legislative reforms are proposed and developed.