A big stick?
There is no indication that the Information Commissioner's Office (ICO) intends to shift its way of working away from promoting good practice and working with organisations to achieve compliance to instead focusing on proactively pursuing breaches or looking for organisations to fine. Whilst the ICO is towing the party line that fines must be "punitive and dissuasive", the regulator's ambition is to improve compliance to ensure better protection of data and adherence to the privacy principles, rather than being a regulator whose primary purpose is to enforce and issue fines.
As well as enforcement, the ICO proactively focuses on various market sectors each year, both from a compliance perspective, but also to produce guidance and enhance the ICO's own market knowledge and keep ahead of change.
This is set out in the 'ICO Technology Strategy', which is reviewed and updated annually. For 2018-2021, the ICO will focus on the fact that the 'most significant data protection risks are being driven by the use of new technologies'. Examples of new technologies include facial recognition software and device fingerprinting. The ICO does not believe that privacy and innovation are mutually exclusive concepts, but clearly new technologies enable easier gathering of huge volumes of data, easy sharing of that data and combining of that data with other data sources present risks to the protection of personal data (which have driven many of the new elements found in GDPR).
The ICO has identified three priority areas, which it believes are the key risk factors. These are:
- Cyber security;
- Artificial intelligence, big data and machine learning; and
- Web and cross device tracking.
Out of the three, AI has been highlighted by the ICO as the most significant. 'The ability for AI to intrude into private life and effect human behaviour by manipulating personal data make highlighting the importance of this topic a priority for the ICO'. Dr. Nigel Houlden, ICO Head of Technology Policy, stated that if artificial intelligence is not transparent, judgements will be made about people without them knowing how or why it was made.
To assist companies in developing new technology, the ICO aims to establish a 'regulatory sandbox' (imitating the successful scheme run by the Financial Conduct Authority) in which organisations can develop new digital products and services in a safe environment before they are put live with the general public. This encourages companies to develop technology in a privacy-compliant way, provides a safe area to conduct testing and, importantly, provides a touchpoint for the ICO to keep abreast of developments and to help shape them and put appropriate protections and safeguards in place.
Liaising with businesses
This complements the ICO's other interactions with businesses, through its Technology Reference Panel (expert advice panel on technology such as computer science, biometrics, data mining and identity management), workshops, helplines and individual liaison officers for strategic stakeholders.
The ICO aims to drive innovation in finding solutions to privacy challenges through its Grants Programme which gives financial support to not-for-profit organisations.
The ICO continues to run its programme of advisory visits for voluntary audits, where historically the ICO has selected a sector and asked organisations whether they will voluntarily permit the ICO to audit. The current sector being examined is educational institutions and healthcare organisations.