New technologies and evolving business models have required regulators to review their capabilities and respond to new risks posed. And the UK Information Commissioner’s Office (ICO) is no exception. The new General Data Protection Regulation (GDPR) has vested considerable powers to the ICO to regulate and supervise data privacy risks. Increasing concerns about the wholesale use and processing of personal data by firms are reflected in the ICO's recently published Technology Strategy, which outlines its objectives and focus areas through eight technology goals.
The ICO strategy’s leitmotif is that technological advances “need not come at the expense of data protection and privacy rights” and that “privacy and innovation are not mutually exclusive”. Through the development of its technology strategy, the ICO’s overall aim is to remain relevant by ensuring that the monitoring and understanding of technological change, and its impact on information rights, are a core component of its work going forward.
To achieve its strategic objectives, the ICO has set out eight goals for the next four years covering a broad range of issues - we highlight three which we believe are the most relevant for innovative Financial Services firms:
- Guidance on data protection risks arising from technology
The ICO will develop further guidance and reports to support its technology priority areas, but will also update its existing guidance to reflect the new regulatory provisions, including those included in GDPR, which will become applicable in May 2018. The ambition is to deliver guidance that is technically feasible and proportionate and promote the use of data protection design by default.
Guidance will also be complemented by the publication of various reports. An annual report on “lessons learned” from reported cyber breaches and technology issues emerging from Data Protection Impact Assessments (DPIAs) will be published. This will be a valuable update to the, sadly still relevant, 2014 “Learning from the mistakes of others”. Reports are also expected on data protection implications of emerging technology issues, following the one published on AI and machine learning.
More generally, the ICO plans to keep organisations informed about emerging risks and opportunities arising from technology through various public channels such as blogs, social media and webinars.
- Engagement with other regulators, international networks and standard bodies
As part of its international strategy, the ICO will prioritise international engagement on issues related to global privacy risks arising from the use of new technologies. This will include forming relationships with bodies that influence the development of global technology standards that affect data protection (e.g. the Berlin Group)
- Establishment of a regulatory sandbox to explore innovative technology
In 2018 the ICO will consult and engage with industry stakeholders about the implementation of a regulatory sandbox, to enable firms to develop innovative digital products and services in a safe and controlled environment. The ICO sandbox will draw on the successful process developed by the Financial Conduct Authority’s (FCA) sandbox, and through it the ICO will be able to advise firms on risk mitigation and data protection by design.
As mentioned in the introduction, in its technology strategy, the ICO also identified three technology priority areas for 2018/19, as those posing the greatest risk: cyber security; Artificial Intelligence (AI), big data and machine learning; and web and cross-device tracking. These are the areas that the ICO will devote most resources - in this context, Nigel Houlden, ICO Head of Technology Policy, highlighted AI as the ICO’s first priority.
What does it mean for FS firms?
The ICO technology strategy applies across sectors. In this blog we reflect on what it means for the Financial Services sector.
As we predicted at the end of last year, following the GDPR go-live date on 25 May, Financial Services firms using AI or other data-driven technologies (such as device tracking) can expect significantly greater scrutiny by regulators of their approaches to the use of, and controls over, personal data. And this scrutiny will come from multiple sources - firms’ use of customers’ data was also highlighted as a top priority in the 2018/19 FCA’s business plan. In fact, the ICO and the FCA recently announced that they will strengthen their relationship in 2018 though an updated Memorandum of Understanding setting out how they will work together in future.
Firms should therefore ensure that technology driven products and services that use personal data have “privacy by design” built into the whole lifecycle, governance and control framework. They should also be ready to engage with both the ICO and the FCA on any residual level of risks that cannot be mitigated in relation to high-risk processing of customer’s personal data. The consequences for unpreparedness can be significant: not only can the ICO impose a new maximum monetary penalty of 4% of annual global turnover for breaches, but it can also require firms to stop all relevant data processing. The ICO has been relatively measured in its recent communication about the use of monetary fines, stating that it will take a proportionate approach to those firms who can demonstrate privacy by design.
Once GDPR goes live, there will of course be a lead time before any enforcement action is taken by regulators. The first few fines may also not be representative of any trends to come. It is therefore important for firms to take up the ICO’s offer to firms to engage with them more generally and specifically in relation to ideas on where more guidance, testing, or research is required. For example, the upcoming ICO’s consultation on their regulatory sandbox will be a unique opportunity for firms to give their views of what they need from the regulator, what the most difficult risks to mitigate are, and what an effective sandbox could look like from their perspective. Secondments from industry to the regulator is another effective way of sharing ideas and knowledge.
On its part, the ICO should be mindful that firms may place a disproportionate focus on what topics/areas are addressed first, and may be tempted to infer the regulator’s supervisory priorities from the timing of publications or nature of enforcement action. Clarity of communication and ongoing industry engagement will help manage any misconceptions that arise from “reading in between the lines”.