On 14 July 2022 the UK Information Commissioner, John Edwards, launched the Information Commissioner's Office ("ICO") three year plan, ICO25. The ICO25 plan sets out how the ICO will prioritise its work and regulate over the next three years.
The ICO will focus its resources where it sees "data protection issues are disproportionately affecting already vulnerable or disadvantaged groups".
The ICO's strategic enduring objectives include:
- safeguarding and empowering people, particularly the most vulnerable, by "upholding our information rights and enabling us all to confidently contribute to a thriving society and sustainable economy";
- taking enforcement action "where necessary to make a real difference in people's lives";
- empowering "responsible innovation and sustainable growth, by providing regulatory certainty about what the law requires, reducing the cost of compliance and clarifying what we will do if things go wrong";
- promote openness, transparency and accountability "supporting the development of a modern Freedom of Information (FOIA) and Environmental Information (EIR) practice framework in the UK, inspiring confidence in public services and democracy";
- "continuously develop the ICO’s culture, capability and capacity to deliver impactful regulatory outcomes, be recognised as an effective provider of public services, a knowledgeable and influential regulator and a great place to work and develop".
ICO25 includes an action plan for the ICO's focus areas for the next year, which includes areas intended to empower people such as:
- reviewing the impact of "predatory marketing calls";
- reviewing the use of "algorithms within the benefits system";
- reviewing the impact the use of "AI in recruitment could be having on neurodiverse people or ethnic minorities, who weren't part of the testing for this software;" and
- "ongoing support of children's privacy" which involves continuing to enforce the ICO's Children's Code.
There is also a focus on "certainty and flexibility" for businesses in the ICO25 plan, with the intention to save businesses at least £100 million over the next three years. To achieve this, the ICO intends to:
- "publish internal data protection and freedom of information training materials";
- "create a database of ICO advice provided to organisations and the public";
- "produce a range of templates to help organisations develop their own approaches";
- "create an ICO moderated platform for organisations to discuss and debate compliance and share information and advice";
- "develop a range of ‘data essentials’ training, specifically aimed at SMEs whose involvement with data protection is a by-product of their core activity"; and
- "set up iAdvice to offer early support for innovators".
The ICO also intends to asses and respond to 80% of data protection complaints within 90 days, assess and respond to 90% of data protection complaints within six months, and ensure that less than 1% of the ICO's data protection complaints case load are over 12 months old.
“Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law. Certainty in what the law requires, coupled with a predictable approach to enforcement action, that allows businesses to invest and innovate with confidence. And the flexibility to reduce the cost of compliance.
“That support for business and public sector is important in itself, but it is ultimately a means to an end. We help business to help people.”