Information Commissioner's Office
How the ICO Innovation Hub is enabling innovation and economic growth through cross-regulatory collaboration
The COVID-19 pandemic has changed work for so many of us around the world; forcing innovation and new ways of working. And that’s just as true for regulators – we’ve had to adapt to develop new ways to support organisations.
The Innovation Hub participated in the Financial Conduct Authority’s (FCA) Virtual Women’s Economic Empowerment TechSprint, providing advice and expertise on real life applications of data protection law. As this was a virtual cross-regulatory TechSprint, there were a host of novel challenges. For instance; how do you replicate the informal conversations you have from coming in to physical contact with other participants at the event? And how do you ensure participants are aware that they can reach out to you for advice? We quickly worked out we needed to be flexible and proactive in our approach so that we made each conversation relevant to the individual participant and their proposal.
However, whilst there were new practical challenges, we found that there were themes in the data protection queries we encountered. It became clear that teams and organisations won’t always know specifically what they need support with. They knew they needed to factor in compliance with data protection legislation to their solution development, but were unsure where to start. That’s why involving data protection specialists from the outset is so crucial. We were able to point out and help work through challenges that teams hadn’t yet thought about and prevent barriers further down the line. We also provided useful resources like the ICO Innovation Hub’s ten top tips for innovators.
Overall, we found three common issues for many of the teams during the week. These areas are key for anyone looking to innovate with personal data.
- Build in accountability
Teams required advice on their obligations under the accountability principle of the UK GDPR and advice on how they could comply. Adopting a data protection by design approach from the outset and carrying out data protection impact assessments for high risk processing operations are key. If you’re not sure, our guidance on DPIAs is a great place to start.
- Personal data vs special category data
Many teams’ solutions potentially involved the processing of special category data. It’s vital to be aware of the general prohibition of the processing of special category data under the UK GDPR unless an Article 9 condition for processing applies. This is in addition to identifying an applicable lawful basis for processing under Article 6.
- It’s not all about consent
Some teams assumed that consent would be the most applicable Article 6 lawful basis for their solution. Consent must be freely given meaning that consent requests need to be separate from other terms and conditions. There are also issues around the freely given nature of consent given by vulnerable individuals, for example those under duress. Other lawful bases such as legitimate interests may be more appropriate depending on the proposed solution. Our lawful basis tool will help you if you’re unsure.
The ICO Innovation Hub seeks to collaborate with other;
- catapults, and
- public-private innovation partnerships
on initiatives that help bring about innovation. The Hub provides expert advice to participants of these initiatives to help them build data protection compliance into their products at an early stage.
The ICO Innovation Hub is interested in collaborating with other organisations and businesses. If you are planning an event aiming to promote innovation that will involve solutions using personal data and think that we could support you then please email email@example.com.
Latest News from
Information Commissioner's Office
ICO fines three companies £415,000 for nuisance marketing10/06/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined three separate companies a total of £415,000 for sending nuisance marketing to people about car finance, solar panels and funeral plans.
Elizabeth Denham welcomes a delay to the launch of the GPDPR10/06/2021 10:38:00
Elizabeth Denham recently (08 June 2021) welcomed a delay to the launch of the GPDPR.
Statement in response to concerns around the GP Data for Planning and Research programme08/06/2021 16:15:00
Statement in response to concerns around the GP Data for Planning and Research programme.
Conservative Party fined £10,000 for sending unlawful emails03/06/2021 12:05:00
The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them.
Blog: How the digital design community can help shape the ICO’s work on the Children’s Code28/05/2021 12:25:00
A blog by Georgina Bourke, Principal Technology Adviser specialising in UX Design.
Blog: Spotlight on the Children’s Code standards – data protection impact assessments28/05/2021 09:10:00
A blog by Michael Murray, ICO’s Head of Regulatory Strategy.
Amex fined for sending four million unlawful emails21/05/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to customers who did not want to receive them.
ICO and CMA set out blueprint for cooperation in digital markets19/05/2021 14:20:00
The Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have published a joint statement, setting out their shared views on the relationship between competition and data protection in the digital economy.