ICO’s new three-year strategic plan unveiled

What happened

On 14 July 2022, the ICO unveiled its new strategic plan, dubbed ‘ICO25’. The plan outlines the ICO’s regulatory approach and priorities for the next three years, including those for the coming year and the longer term. It also states that ICO25 “anticipates, embraces, and looks beyond” the intended changes to UK data protection regime, which are expected to be made by the government halfway through the plan’s duration.

Whilst the ICO’s focus until 2023 spans a variety of areas, we explore the most important ones for organisations to be aware of in greater depth:

Direct marketing

• In a statement earlier this year about how it intends to act against dishonest organisations that misuse personal information for marketing purposes, the ICO set out its aim to protect the public and uphold fair competition for the legitimate UK marketing sector.
• ICO25 has further solidified the ICO’s commitment to continue to combat predatory marketing over the next three years, particularly when it targets vulnerable individuals. This includes data-enabled internet and social media scams and frauds.
• The impact of this on organisations falling foul of marketing rules could be significant, given the ICO’s ongoing focus on this area and the UK government’s intention to raise the maximum level of PECR fines to those outlined under the GDPR (4% of an organisation’s annual turnover or £17.5 million, whichever is higher).

Subject access

• The ICO intends to develop a subject access request tool to help individuals to identify where their personal information is held, and how to request it in ways which will assist organisations in responding effectively. The intention is for the tool to generate a template from the ICO that the requester can send to organisations and the organisation will also receive guidance from the ICO to help them respond simply.
• Although this might help to ensure that subject access requests are handled and received in a consistent format, there may be some concerns about the potential administrative burden that may be associated with handling such requests through the tool, coupled with a potential increase in the number of subject access requests that are received as a result.

Children’s privacy

• The ICO will press for further changes to be made by social media platforms, video and music streaming sites as well as gaming platforms to correctly assess children’s ages and conform with the ICO Children’s Code’s guidelines about profiling children and sharing their data.
• The ICO will also continue enforce the need for increased transparency and use of privacy notices children can understand.
• This is closely related to the adjustments set out in the Online Safety Bill, which aims to protect children online and lessen illegal content and activity by introducing new rules for organisations that host user-generated content (those that permit users to post their own content online or interact with each other), as well as for search engines, which will have tailored duties focused on minimising the presentation of harmful search results to users. The bill is currently on hold until a new Prime Minister is appointed, however ICO25 sets out that changes to the Children’s Code will be made to align with the Online Safety Bill in due course, where required.

Use of AI and biometric technologies

• Emphasis will be placed on the regulation of biometrics, facial recognition technology and the use of AI. This will include work on algorithmic biases in the benefits system as well as the function of AI in recruitment.
• Particularly, there are concerns that AI-powered recruitment and hiring may prejudice against individuals from racial and neurologically diverse backgrounds, and that emotion recognition technologies may also discriminate against vulnerable groups, all of which the ICO will actively investigate and advise on.
• The announcement comes as the UK sets out new proposals this week for an AI rulebook on the future regulation of Artificial Intelligence, requiring the ICO to monitor the impact of AI based on a set of guiding principles.
• Xcina Consulting have covered the importance of protecting privacy in an AI-driven world in previous articles, following the ICO’s AI and data protection risk toolkit being introduced earlier this year. The ICO’s strategy makes it clear that this shall remain an important area of attention for both the regulator and for organisations over the next three years.

Why it matters

As part of the plan and in recognition of the importance of certainty and flexibility for businesses, ICO25 includes a package of actions which aims to help save businesses more than £100 million across the next three years, the ICO claims. To achieve this, the Commissioner intends to:

• Publish internal data protection and freedom of information training materials;
• Create a database of ICO advice provided to organisations and the public;
• Produce a range of templates to help organisations develop their own approaches;
• Create an ICO moderated platform for organisations to discuss and debate compliance and share information and advice;
• Develop a range of ‘data essentials’ training, specifically aimed at SMEs whose involvement with data protection is a by-product of their core activity; and
• Set up iAdvice, an advice service to offer early support for innovators.

• The ICO also intends to assess and respond to 80% of data protection complaints within 90 days, assess and respond to 90% of data protection complaints within six months, and ensure that less than 1% of the ICO’s data protection complaints case load are over 12 months old.
• The ICO is now consulting on the purpose, objectives, and performance measures set out in its ICO25 plan until 22 September 2022. We will provide further updates as more details unfold.
• In the meantime, you can have your say on ICO25 by submitting your comments through the ICO’s online survey.