New technologies and evolving business models have required regulators to review their capabilities and respond to new risks posed. And the UK Information Commissioner’s Office (ICO) is no exception. The new General Data Protection Regulation (GDPR) has vested considerable powers to the ICO to regulate and supervise data privacy risks. Increasing concerns about the wholesale use and processing of personal data by firms are reflected in the ICO's recently published Technology Strategy, which outlines its objectives and focus areas through eight technology goals.

The ICO strategy’s leitmotif is that technological advances “need not come at the expense of data protection and privacy rights” and that “privacy and innovation are not mutually exclusive”. Through the development of its technology strategy, the ICO’s overall aim is to remain relevant by ensuring that the monitoring and understanding of technological change, and its impact on information rights, are a core component of its work going forward.

Technology goals

To achieve its strategic objectives, the ICO has set out eight goals for the next four years covering a broad range of issues - we highlight three which we believe are the most relevant for innovative Financial Services  firms:

  1. Guidance on data protection risks arising from technology

The ICO will develop further guidance and reports to support its technology priority areas, but will also update its existing guidance to reflect the new regulatory provisions, including those included in GDPR, which will become applicable in May 2018. The ambition is to deliver guidance that is technically feasible and proportionate and promote the use of data protection design by default.

Guidance will also be complemented by the publication of various reports. An annual report on “lessons learned” from reported cyber breaches and technology issues emerging from Data Protection Impact Assessments (DPIAs) will be published. This will be a valuable update to the, sadly still relevant, 2014 “Learning from the mistakes of others”. Reports are also expected on data protection implications of emerging technology issues, following the one published on AI and machine learning.

More generally, the ICO plans to keep organisations informed about emerging risks and opportunities arising from technology through various public channels such as blogs, social media and webinars.

  1. Engagement with other regulators, international networks and standard bodies

As part of its international strategy, the ICO will prioritise international engagement on issues related to global privacy risks arising from the use of new technologies. This will include forming relationships with bodies that influence the development of global technology standards that affect data protection (e.g. the Berlin Group)

  1. Establishment of a regulatory sandbox to explore innovative technology

In 2018 the ICO will consult and engage with industry stakeholders about the implementation of a regulatory sandbox, to enable firms to develop innovative digital products and services in a safe and controlled environment. The ICO sandbox will draw on the successful process developed by the Financial Conduct Authority’s (FCA) sandbox, and through it the ICO will be able to advise firms on risk mitigation and data protection by design.

As mentioned in the introduction, in its technology strategy, the ICO also identified three technology priority areas for 2018/19, as those posing the greatest risk: cyber security; Artificial Intelligence (AI), big data and machine learning; and web and cross-device tracking. These are the areas that the ICO will devote most resources - in this context, Nigel Houlden, ICO Head of Technology Policy, highlighted AI as the ICO’s first priority.

What does it mean for FS firms?

The ICO technology strategy applies across sectors. In this blog we reflect on what it means for the Financial Services sector.

As we predicted at the end of last year, following the GDPR go-live date on 25 May, Financial Services firms using AI or other data-driven technologies (such as device tracking) can expect significantly greater scrutiny by regulators of their approaches to the use of, and controls over, personal data. And this scrutiny will come from multiple sources - firms’ use of customers’ data was also highlighted as a top priority in the 2018/19 FCA’s business plan. In fact, the ICO and the FCA recently announced that they will strengthen their relationship in 2018 though an updated Memorandum of Understanding setting out how they will work together in future.

Firms should therefore ensure that technology driven products and services that use personal data have “privacy by design” built into the whole lifecycle, governance and control framework. They should also be ready to engage with both the ICO and the FCA on any residual level of risks that cannot be mitigated in relation to high-risk processing of customer’s personal data. The consequences for unpreparedness can be significant: not only can the ICO impose a new maximum monetary penalty of 4% of annual global turnover for breaches, but it can also require firms to stop all relevant data processing. The ICO has been relatively measured in its recent communication about the use of monetary fines, stating that it will take a proportionate approach to those firms who can demonstrate privacy by design.

Once GDPR goes live, there will of course be a lead time before any enforcement action is taken by regulators. The first few fines may also not be representative of any trends to come. It is therefore important for firms to take up the ICO’s offer to firms to engage with them more generally and specifically in relation to ideas on where more guidance, testing, or research is required. For example, the upcoming ICO’s consultation on their regulatory sandbox will be a unique opportunity for firms to give their views of what they need from the regulator, what the most difficult risks to mitigate are, and what an effective sandbox could look like from their perspective. Secondments from industry to the regulator is another effective way of sharing ideas and knowledge.

On its part, the ICO should be mindful that firms may place a disproportionate focus on what topics/areas are addressed first, and may be tempted to infer the regulator’s supervisory priorities from the timing of publications or nature of enforcement action. Clarity of communication and ongoing industry engagement will help manage any misconceptions that arise from “reading in between the lines”.



Stephen Bonner - Partner, Cyber Risk Services, Deloitte

Stephen is a Partner within Deloitte’s Cyber Risk Services practice with over 5 years of security consulting experience and over 20 years of financial services industry experience. In particular, Stephen ran global security teams and was accountable for Cyber Security, Records Management, Data Privacy and IAM for a global FS institution. He also led IT Security for a derivatives exchange for four years.

Email | LinkedIn


Peter Gooch - Partner, Cyber Risk Services, Deloitte

Peter is a Partner in the Cyber Risk Services team, leading the Private Sector across our Cyber portfolio, with a focus on TMT. Peter also leads our Privacy proposition across all sectors in the UK and has 15 years of experience of Privacy and Data Protection engagements. Specialist in designing large scale data privacy programmes for global organisations, focusing on practical solutions that interpret a complex legal challenge

Email | LinkedIn


Suchitra Nair - Director, EMEA Centre for Regulatory Strategy, Deloitte

Suchitra is a Director at the Centre for Regulatory Strategy and leads on technological innovation and regulatory strategy. She has over 15 years’ experience in the financial services sector gained in Audit, Corporate Finance and Risk Advisory teams. Prior to joining the Centre, she used to lead the implementation of large scale regulatory change projects at international banks.

Email | LinkedIn

Valeria Gallo_Professional_Picture

Valeria Gallo - Manager, EMEA Centre for Regulatory Strategy

Valeria is a Manager in the EMEA Centre for Regulatory Strategy. Her focus is on regulatory initiatives related to payments and FinTech. Valeria joined Deloitte in early 2012 from a global strategy consulting firm where she was the Business Operations Manager for the European financial services practice.

Email | LinkedIn


  • Nice and informative post.

    Posted by: Akeo on 04/10/2018

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.