WIREDGOV

Deputy CEO Paul Arnold’s speech at PDP’s Data Protection Compliance Conference, delivered on 4 October 2023.

Thank you for such a warm welcome. It’s great to be with you today and a privilege to be opening today’s Data Protection Compliance Conference.

I’m conscious that at least some of you may have been amongst the 8,000 plus people who registered for the ICO’s DPPC event yesterday. If so, then you’re having quite the conference week. And extra kudos to you if you braved today’s rail disruption to be here in person.

Many of my ICO colleagues have spoken at the DPCC over the years, and looking back over their wise words and the conference itineraries they helped to support, I’m struck by one overwhelming conclusion.

We work and live in complicated times, and they aren’t getting any simpler.

It’s at times like these that I’m reminded of the Einstein quote I have on my office wall. “Everything should be made as simple as possible, but not simpler”.

I first heard the quote 25 years ago at the start of my ICO career. It was 1998 and the much younger me was advising businesses over the telephone about the implications of the forthcoming Data Protection Act of 1998.

Back in 1998, very few people had heard of data protection. For most of the people I was talking to, data protection was both alien and complex. I was spending most of my time talking about why data protection law was needed and what its minimum requirements were for a whole range of businesses.

Keeping things simple, using real world examples of relevance to each business, but without losing the all-important underlying technical principles and requirements was as important for me in 1998 as I know it is for each of you in your organisations and when working with your clients today.

Of course, we can look back on 1998 today with a wry smile. They were simpler times, weren’t they? Data protection professionals had it a little easier back then, didn’t they? The regulator had it much easier too, didn’t we?

I recently spent some time reviewing the annual reports of all former Information Commissioners. In the 1980s and 90s, processing of personal data was undergoing a huge change. It was the start of a huge power shift and a similarly huge shift in the risk profile of the way data was processed in the UK. Instead of the majority of data processing taking place in a relatively small number of data bureaus by a relatively small number of people, that data processing power was being placed in the hands of an increasing number of people through the growing computerisation of our economy and society. And we were, of course, only a handful of years away from the rapid rise of social media and the near ubiquity of personal devices.

What would that mean for traditional jobs? What would it mean for data security? And of course, what would that mean for the protection of personal information? Sound familiar questions? These were all playing out in the early ICO annual reports of the 1980s and 1990s just as they are today.

Over the next few days you’ll be discussing the emergence of GenAI, the challenge of cyber security, global interoperability, the challenge of regulating the aforementioned GenAI and that’s just to name a few of the things you’ll be grappling with.

What I want to focus on today is how the ICO and the data protection profession represented here today can keep working together and learning from one another as we work in these interesting and challenging times.

Whilst the forthcoming DPDI Bill alters the way the data protection officer is described in law, make no mistake that the ICO will continue to look to organisations to behave accountably and to have access to relevant data protection expertise. This data protection expertise of course continues to morph into AI expertise alongside cyber expertise and more. The profession represented in this room, and your relationship with the ICO, is going to remain so important for society, the economy and for the ICO.

Certainly in my role as Deputy CEO, working alongside the Commissioner and our Executive Team, I still believe the ICO’s role today is to make things as simple as possible, but no simpler. Einstein would hopefully be proud.

Under our ICO25 plan we’re reshaping the ICO. We continue to enforce the laws we are responsible for and to sanction where it is necessary to do so. Organisations choosing not to comply or failing to take an accountable approach to data protection to secure a competitive advantage can continue to expect to experience the full extent of our enforcement powers.

But our message to those seeking to use data responsibly or to innovate is that we want to work with you and alongside you. We want to enable you, as the regulated community, to understand and effectively manage risk and to make responsible use of the assets you hold.

That’s why we continue to grow and invest in our range of services to help you do your jobs and to help businesses to grow and to innovate. We’re here to keep things predictable and yes, make things as simple as possible, but not simpler.

I like to view our support services for business as a pyramid. At the base we have our high volume services, providing advice to thousands of businesses each day and week, supporting their basic training and helping them build confidence to use data responsibly. Our focus here is on the millions of businesses without in-house data protection expertise.

For example, we’ve been piloting a range of ‘data essentials’ products designed to enable small businesses to complete a number of basic essentials training modules produced by the regulator. Once complete, each organisation will be able to describe themselves as having completed the ICO’s ‘data essentials’ programme, hopefully sending a positive message to consumers and service users and differentiating themselves from those businesses investing less time and effort in data protection.

We then have our Innovation Advice service, a little higher up the pyramid. This service is for organisations with a specific question relating to future innovative data use. We commit to respond to these queries with practical, pragmatic and accountable advice in quick time. We’re here to help businesses to innovate responsibly and that means meeting your expectations in terms of timeliness.

Finally, we have our regulatory sandbox at the top of the pyramid. I know many of you will be familiar with this service as it enters its fifth year. We’re keen to grow it so even more organisations can benefit from working alongside our expert team.

Some of you may also have noticed that we recently launched a new forum to encourage those in the DP profession to come together to share your views and experiences. As the profession continues to grow and evolve, we want to help to amplify the value and work alongside you to share knowledge, experience and expertise. If you’ve not seen our pilot, then why not give it a look on our website?

In addition to these specific services we’re also refreshing our approach to guidance. For decades the ICO has been well known for producing detailed and extensive guidance, often used and reused the world over. We’re not going to stop that, but we recognise that technical guidance often also needs a human translation to make it useful for many businesses. Where we can, we want to develop tools and products which genuinely help people to translate the technical into the practical.

That might mean more sector-specific guidance where the difference in sector calls for greater nuance. Or it might be tools, like our recent ‘think, check, share’ data sharing toolkit for those involved with child protection.

But for me, the future of the ICO isn’t just about the type of services we are able to offer. It’s about how we offer them and how we work to keep pace with the world we regulate and the world we live in.

Those who are familiar with our ICO25 strategy may have spotted that we’ve very publicly described five shifts of approach. These shifts are cross cutting. They are what we expect to be doing differently and they are what we want our customers and stakeholders to be recognising us for doing differently and to hold us to account for doing.

We want you to see us prioritising more simply and working with greater agility. This means describing why we are prioritising the things in our plans, being clear about the impact we are expecting to make and being equally clear when we are moving on to our next priority.

Linked to this, we want you to see us being more transparent. This means really pushing ourselves to place as much of our advice and thinking outside the organisation so it can be used and reused.

We want you to see greater empathy from the ICO. As a whole-economy regulator it can be hard to truly walk a mile in the shoes of each business we regulate and each person whose rights we uphold, but we are committed to doing so. We are listening to communities who we know we need to better understand so that the advice we provide and the action we take feels relevant, accessible and engaging to all customers and stakeholders.

We want you to recognise us for providing as much regulatory certainty as possible. That means being a predictable regulator. As I said earlier, if an organisation sets out intending to ignore their obligations to secure a competitive advantage we want them to know the consequences. Similarly, if organisations are acting responsibly and accountably, we don’t want them to fear the ICO.

Finally, just like all of you, the ICO faces a real challenge to maximise our capacity and capability in the face of new challenges. We want you to be able to recognise that we’re doing this and, coupled with our transparency commitment, we want to tell the story of how we’re transforming as openly as possible.

And of course, as many of you will know, as part of the DPDI Bill the ICO’s governance model and constitution is set to change. John Edwards will be the last Information Commissioner to operate as a Corporation Sole commissioner. Assuming the DPDI bill continues to progress as expected, the ICO will soon report into a statutory board of publicly-appointed non-executives, chaired by the Information Commissioner, setting the strategic direction for and maintaining strategic oversight of the work of the ICO.

This is a long awaited enhancement to our governance and constitution. It safeguards our independence whilst introducing important resilience. It does this by creating scope for a range of technical experts on a diverse statutory board and its sub-committees, giving the future ICO greater capacity to remain truly relevant and yes, make things as simple as possible, but no simpler.

To conclude, the data protection profession and the ICO have never worked in more interesting or complex times. In our different but related ways, our role is to translate the complex into something if not simple, then as simple as humanly possible so that it continues to feel relevant and relatable for the millions of businesses and members of the public in our economy and society.

Events like the ICO’s DPPC yesterday and today’s DPCC event are so important for enabling our profession to come together, to learn from each other and to support one another.

As I hope I’ve managed to convey, the ICO is also transforming and reshaping to make sure we can continue to support you in your vital work as well as to listen and learn from your experiences.

I hope you each have a fantastic few days and I’d love to help you all settle into the event by welcoming any questions you might have.