Anyone working in marketing knows about the risk of eye-watering fines from the Information Commissioner’s Office (ICO). In 2021 alone, We Buy Any Car was fined £200,000, Saga got a bill for £225,000 and Sports Direct had to pay out £70,000. They had all been found to have breached the GDPR by sending marketing emails and/or texts without permission.
But now there’s a new Information Commissioner at the helm. Rather than tales of blistering fines, John Edwards’ speech on 14 July struck a more pragmatic tone. Sitting in the hand-picked audience, I heard plans for sector-specific support, ambitions to save businesses money, and proposals to empower organisations to “use information responsibly and confidently to invest and innovate”.
The ICO25 is a three-year strategy with plenty of detail to dig into. Edwards calls it “a vision of the regulator we want to be, the world we want to shape, and a practical plan of how we get there”.
Here are my key takeaways:
Edwards was honest about the fact that the ICO has limited capacity and can’t be everything for everyone at the same time. There’s a danger that the ICO will spread itself too thin across the whole economy, so it makes sense the Commissioner would target resources where they’ll have the greatest effect. And he admitted they need to be transparent about how they make those decisions. The ICO25 seeks to lay out those priorities so that decisions can be made “for the greatest benefit to the greatest number”. That includes supporting the most vulnerable communities, addressing AI-driven discrimination, setting expectations for the use of biometric technologies, work on children’s online privacy and an examination of how CCTV is being used, including in care homes. A shake-up of Freedom of Information processes is also being planned.
One big change is that Edwards has publicly committed to make the ICO more open, accountable and transparent. That’s laid out in the ICO25, which crucially includes SMART goals and KPIs against which the success of this strategy can be judged. The Commissioner is also keen to build public confidence around how information is handled, and to help reduce the burden of privacy on businesses.
It was refreshing to hear that the regulator plans to help organisations grow by investing in “responsible information use”. “You’ll see us support responsible innovation, bring down the cost of compliance, engage with organisations and share our knowledge and insight more,” he added. One such proposal was a new bespoke iAdvice service, which will allow businesses to double check a new product or service isn’t in breach of privacy rules before launch. Finally, he promised to prioritise helping to reduce the cost of compliance, challenging his team to save businesses “at least £100 million over the next three years,” he said.
A regulator that empowers
Edwards wants to empower people to “to confidently share their information to use the products and services that drive our economy and society”, and to help organisations innovate with data. But, he included a note of caution for those who “choose not to play by the rules… you will find yourselves on the receiving end of our most punitive regulatory tools”.
The ICO25 is a big step forward towards ensuring better information practices and I welcome Edwards plans. But alongside acknowledging the ICO’s limited resources, he should have acknowledged the role the wider privacy ecosystem plays, including consultants, campaigners and other experts. Organisations such as the Privacy Compliance Hub have the same vision as the ICO. We want to fix the privacy crisis by providing practical tools and guidance to nurture a culture of continuous compliance. Because when people understand privacy they care about it. And when they care about it, they take action to protect it. We all have a part to play in creating a better world for tomorrow. And it’s time for the ICO to let us in.