ICO25 plan

Last week the Information Commissioner's Office (the "ICO") published its new strategic plan - ICO25.

ICO25 sets out the ICO's regulatory approach and priorities for the next three years.

The ICO's strategic objectives include:

• safeguarding and empowering people, particularly the most vulnerable, by "upholding our information rights and enabling us all to confidently contribute to a thriving society and sustainable economy";

• taking enforcement action "where necessary to make a real difference in people's lives";

• empowering "responsible innovation and sustainable growth, by providing regulatory certainty about what the law requires, reducing the cost of compliance and clarifying what we will do if things go wrong"; and

• to "continuously develop the ICO's culture, capability and capacity to deliver impactful regulatory outcomes, be recognised as an effective provider of public services, a knowledgeable and influential regulator and a great place to work and develop".

Safeguarding and empowering people

ICO25 includes an action plan for the next year, which includes focus areas intended to empower people, noticeably concentrating on:

• investigating how AI-driven recruitment could be negatively impacting employment opportunities for those from diverse backgrounds;

• investigating how biometric technologies are being deployed to establish if there are particular adverse impacts on vulnerable groups;

• reviewing how predatory marketing calls can aggravate, or be aggravated by, the cost-of-living crisis; and

• reviewing the use of algorithms within the benefits system.

Certainty and flexibility for businesses

ICO25 introduced a "package of actions" that aim to save businesses at least £100 million across the next three years by establishing greater regulatory certainty and a "predictable approach" to enforcement action.

ICO25 aims to achieve this by:

• publishing internal data protection and freedom of information training materials;

• creating a database of ICO advice provided to organisations and the public;

• producing a range of templates to help organisations develop their own approaches;

• creating an ICO moderated platform for organisations to discuss and debate compliance and share information and advice;

• developing a range of 'data essentials' training, specifically aimed at SMEs whose involvement with data protection is a by-product of their core activity; and

• setting up iAdvice to offer early support for innovators.

The ICO has said that it will cooperate and collaborate with its regulatory counterparts domestically and internationally to provide consistency in the law so that businesses can rely on the standards expected by the ICO and can look to minimise their costs in straddling multiple regimes.

Enforcement

When introducing ICO25, John Edwards, the UK Information Commissioner, issued an explicit warning to businesses who do not comply with the requirements, cautioning that they will find themselves "on the receiving end of our most punitive regulatory tools" - which can include enforcement notices and significant monetary penalties. Interestingly, the public sector may not face fines (the approach is being reviewed) so as to not divert money away from where it is needed most.

ICO25 promises to create a fairer playing field for those demonstrating good practice by taking action against those who do not. ICO promises to take an "evidence led and predictable approach" to their enforcement action based on the potential risk posed or actual harm caused. Its interventions will be made in a timely and effective manner, providing a deterrent against serious non-compliance leading to significant harm.

The ICO have promised to assess and respond to 80% of data protection complaints within 90 days; assess and respond to 90% of data protection complaints within six months; and ensure that less than 1% of its data protection complaints case load are over 12 months old.