Yesterday (5th May 2021) the Information Commissioner’s Office (ICO) held its annual Data Protection Conference and provided a full day of content on a vast range of topics. Your DAC Beachcroft data protection and cyber team was dialled in and listening intently to pick out the top themes and takeaways.
Surprisingly, there wasn’t a specific data transfers session on the agenda but the topic featured heavily in the “Ask the ICO” session whereby questions were posed by delegates. Whilst there were no clear answers to what is undoubtedly the hot topic of the year, we did learn that:
- Updated UK Standard Contractual Clauses (SCCs) will be released for consultation in the summer (presumably following the release of European Commission’s final EU SCCSs).
- The UK will look to recognise the transfer tools of other jurisdictions such as the EU SCCs.
- The UK intends to expand the list of jurisdictions that it considers to be “adequate” following a four stage process being (i) gatekeeping; (ii) assessment; (iii) analysis; and (iv) procedural review. The ICO will be involved in all stages and will publish its own opinion during stage (iv). The Department for Digital, Cultural, Media and Sport (DCMS) is expected to make an announcement in June regarding the new jurisdictions it will consider for adequacy.
During this session, the ICO made it very clear that data transfer policy issues (in particular, any data sharing arrangement with the US) is a matter for UK Government, rather than the ICO.
Concerns regarding the use of Artificial Intelligence (AI) is a strategic priority
There was much recognition throughout the conference that technological developments present both opportunities and challenges: The innovative uses of data enabling more efficient and effective delivery of existing services and the development of new services, but also introducing new concerns around data privacy and the potential for biased decisions and discrimination.
As a result, the ICO has made the use of AI (a key driver in many new technologies) one of its top three strategic priorities.
One of the key outputs from the ICO’s work in this area is its “Explainability Guidance”, issued by the ICO and The Alan Turing Institute, which aims to give organisations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them.
The ICO has also issued a consultation on an “AI and data protection risk mitigation and management toolkit”. The toolkit is designed to assist organisations identify and mitigate the data protection risks that AI systems create or exacerbate. It is essentially a specialised DPIA for AI applications that encourages organisations to build in data privacy to their applications from the start (“data privacy by design”).
There was also discussion about specific regulation in relation to AI in the UK. Whilst it appears there is some political will behind this, with calls for specific legislation and it being the subject of a Government task force, at this stage there does not seem to be a concrete move towards such legislation in the UK.
However, the ICO is engaged with the recent draft EU AI Regulation published by the European Commission and will be publishing its formal response to the consultation on the draft on its website in due course. It was noted that this Regulation, although clearly no longer directly applicable in the UK, will be relevant to the UK’s AI strategy both because it will apply to UK organisations offering AI services to EU based companies, but also because at least some alignment is likely to be required in order to maintain any adequacy decision. For further information on the likely applicability of the draft EU AI Regulation in the UK and what the draft Regulation actually says. please see our recent article which is available here.
Consideration of ethical data use is key to filling in gaps in the law
In the absence of specific legislation in respect of AI or other new technologies, the ICO stressed the increasing importance of data ethics in filling the gaps where black letter law may not be able to keep pace with the rate of technological innovation. A simple way of thinking about this for organisations is the “could” versus “should” question. Just because an organisation could do something with data, which may be within the black letter of the law, does that mean that it should do it, if it is not something that the individual might expect or which may damage the trust and confidence held in that organisation.
The ICO highlighted the use of ethical frameworks as vital in protecting the rights of the individual in the face of technological changes, whilst ensuring innovation and economic growth are not stifled. These frameworks give organisations flexibility to explore new developments.
The ICO’s view is that data ethics is not a new requirement or another layer of compliance, rather an alternative lens through which to view data protection compliance, which will help organisations better operationalise UK GDPR principles. The ICO appears to support building in a data ethics review into legitimate interests assessments and data protection impact assessments. When undertaking a legitimate interest assessment, the data controller needs to balance the rights of the individual against the legitimate interest of the data controller in using the individual for that purpose. The ICO is of the view that this balancing exercise is no longer binary as between the data subject and the controller, but should also consider the interests of society as a whole. Data controllers can and should therefore take into consideration wider societal impacts and benefits.
Cybersecurity – preparation is key
The ICO ran through its breach statistics noting that it has investigated 1,700 data controllers and seen an increase from 13 ransomware incidents per month to 42. Although ransomware has significantly increased, the ICO has actually been more occupied with phishing and emails being sent to incorrect recipients in terms of types of personal data breaches. It was confirmed that the ICO will shortly be issuing guidance on ransomware and incident response, to include advice on: (i) preparation; (ii) data protection requirements and incident response plans; (iii) notification; and (iv) compliance, notably the ability of a controller to demonstrate compliance with the UK GDPR.
There was a heavy emphasis on UK GDPR compliance and preparedness. The ICO laboured the importance of having in place tested policies and procedures which will assist an organisation in the event of a personal data breach incident. This includes policies/procedures for dealing with a situation where systems and servers are all offline. It is noteworthy that the ICO expressly confirmed that when a ransomware incident is notified to the ICO, they immediately start looking at the organisation’s compliance with the GDPR, with an initial focus on Articles 5(1)(f) and 32 UK GDPR (the primary security obligations in the GDPR). One point which the ICO will look closely at is whether an organisation has segregated between live and offline repositories to ensure threat actors cannot pivot between live and backup environments. Where ransom payments are made in order to recover data, the ICO will question why the organisation did not adequately segregate or test its backups. It was also noted that the ICO does not put much weight on the promise of data deletion from threat actors, given that they are criminal actors.
When considering what security measures are in place, the ICO noted that it will assess the volume of personal data, categories of personal data, type of organisation, and type of personal data processed. In short, the higher the risk, the more levels of security they will expect to see. In assessing risk, the ICO advised that, as a starting point, organisations should consider the likelihood of risk and, if it were to occur, what would the severity be? Risk factors which the ICO will consider include: (i) criminal and malicious access; (ii) data exfiltration (which amounts to loss of control); (iii) detriment to individuals in regards to unavailability; (iv) attacker threats; (v) speed of access and availability of personal data; and (vi) permanent loss of personal data i.e. threat actor deleted backups, which results in the loss of the right of access for data subjects.
Data as an “opportunity” is key to the UK National Data Strategy
A clear theme from the conference was a desire for the UK to be seen as a jurisdiction where data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded. Many of the speakers touched on a real desire to do something different in the UK and unlock the exciting potential of data, but within a safe and trusted framework. Phil Earl, Deputy Director for Data Strategy for DCMS, ran through the draft National Data Strategy, the consultation on which closed in December 2020. It has five missions:
- Unlocking the value of data across the economy
- Securing a pro-growth and trusted data regime
- Transforming the government’s use of data to drive efficiency and improve public services
- Ensuring the security and resilience of the infrastructure on which data relies
- Championing the international flow of data
The Government response to the consultation will be published shortly, but the message was clear that it wants to engage with the wider public sector and third sector on its strategy going forward.
A common theme through many of the sessions, from both the ICO and the external speakers from both the private and public sector, was a shift in how the role of the data protection practitioner (and even the ICO as the data protection regulator) is perceived. This is from being a strict compliance role to a more strategic role that enables growth and innovation, both on smaller scale for individual organisations but also on a more macro level for the economy as a whole. This aligns with the key missions of the government’s draft National Data Strategy.
Of great importance in unlocking the UK’s potential as an international data hub will be ensuring the free flow of data internationally. This is something that the ICO appears to be championing alongside DCMS. There is increased recognition that any movement from the UK and other jurisdictions towards laws or guidance which favour data localisation will be a hindrance to the UK’s international ambitions. In recognition of this, DAC Beachcroft has been working with the International Regulatory Strategy Group (IRSG) (which is a practitioner-led body comprising leading UK-based figures from the financial and professional services industry) on its efforts to raise awareness of the challenges posed by data localisation and the importance of unhindered international data flows to businesses and their customers. A link to a paper co-authored by DAC Beachcroft and the IRSG, which discusses the impact of data localisation on the financial services sector and which explores alternatives to data localisation, can be accessed here.
Upcoming consultation on the ICO’s approach to regulatory action and enforcement
The ICO is required to provide statutory guidance on its approach to regulatory action. This currently sits within its “Regulatory Action Policy”. However, it has decided to split this into three new documents in order to provide great clarity on approach to enforcement:
- Statutory Guidance on Regulatory Action;
- Regulatory Action Policy (to include guidance regarding how the ICO calculates monetary penalty notices, dealing with privileged materials and considerations regarding the economic impact of regulatory action); and
- PECR Enforcement Guidance (to include guidance regarding actions against officers and the application of penalties under the Privacy and Electronic Communications (EC Directive) Regulations 2003.
These documents will be key to understanding the ICO’s approach to enforcement action.
A consultation for all three documents will commence in May and be open for 12 weeks. Note that this will be the second consultation relating to the ICO’s Statutory Guidance on Regulatory Action following feedback that all three documents should be considered together.
The future role of the ICO
This was Elizabeth Denham’s last conference as Information Commissioner. Her term will come to an end on 31 October 2021 and she will be replaced by a new Commissioner (yet to be appointed). Whilst the Commissioner has a statutory role, there can be no doubt that each Commissioner brings his or her own experience and area of focus. In our view, Elizabeth Denham’s legacy will be her focus on accountability (perhaps reflective of her previous experience as the Information and Privacy Commissioner in British Columbia, Canada) and the fair use of personal data. The job description for the role gives us an indication of future direction; it points towards a particular focus on “commercial and business acumen” and “experience of using data to drive innovation and growth”. Whilst we wait for news of the new appointment, we can be sure that the focus of the new Commissioner is likely to drive enforcement action and, ultimately, the priority areas for your business.