Among the many topics discussed at the IAPP U.K. Intensive was the data protection reforms brought on by the Data (Use and Access) Act. Notable among the changes is the U.K. Information Commissioner's Office taking on structural reform, transforming from a corporation sole to a board-governed body. 

During his Intensive keynote address 25 Feb., ICO Commissioner John Edwards highlighted this upcoming change, saying he will become chair until he completes his term at the end of 2026. ICO Chief Executive Officer Paul Arnold, in a later fireside chat, offered a rundown of the operational changes that will take place for the agency. 

Arnold is an ICO veteran, having worked at the office for 28 years. "There have been six commissioners," he said, "and I've worked for five of them." He discussed the changes while wearing a sharp, black set of smart glasses for the visually impaired. 

Key changes

As a corporation sole, all the regulatory power goes to the commissioner. But over the years, Arnold said, data protection has matured and grown more complex, placing more responsibilities on one single person. 

"I've seen how that role functions," he said. "The idea that all of those responsibilities are vested in one human being is almost preposterous when you say it out loud." 

The new Information Commission, replete with a CEO, chair and board, will parallel the structure of other U.K. regulators, including the Office of Communications, Financial Conduct Authority, and Competition and Markets Authority. A new chair will be recruited after Edwards' term ends. The incoming board will be publicly appointed, and Arnold will serve as chief executive, leading the operational decision-making. 

Why the changes?

Arnold said the incoming board model will provide more continuity, which avoids what he calls the "cliff edge" a DPA experiences when a commissioner's term ends. The new structure will also promote more robust governance and offer more diverse perspectives from the board. Board terms will be staggered to help ensure ongoing stability, he said. 

Chair vs. CEO and timeline

In the new structure, the board and chair will own the long-term strategy and decide what responsibilities will stay with the board and what gets delegated. As CEO, Arnold will be responsible for executing the board's strategy throughout the organization. 

Though there is not yet a set timeline, Arnold suggested that the U.K. government will confirm the final transition date "within weeks." When that happens, Edwards morphs from commissioner to chair. Then, new non-executive directors will be appointed to the Board, and Arnold will continue as CEO. He noted that he was previously appointed into this position in advance to help build the new structure and ensure continuity. 

Arnold said the reform addresses the need for more diverse perspectives, not just demographically, but in terms of cognitive diversity, as well. The increasing complexity and societal relevance of data protection with the rise of digital technology and artificial intelligence calls for a more "stable, strategic regulatory voice." 

Core themes and regulatory approach

With the "ICO25" strategy reaching expiration this year, Arnold shared some of the core themes and approach the Information Commission will take. They include promoting trust and responsible data use, enabling innovation and bolstering the public's confidence in how data is used. Additionally, the commission will work in partnership with industry, citizenry and other regulators, while offering clearer guidance about what the law requires, allows and prohibits. 

Arnold said it will be important for the agency to enable innovation and not just police it. Part of that work, particularly for SMEs, will be through the launch of "Data Essentials," which aims to help small business understand their legal requirements while also offering what the law permits.

"We believe most organizations are responsible," he said. "We want to help them use data confidently, not be paralyzed by risk aversion." 

The Information Commission will also be more transparent about why it intervenes in cases. It will balance an approach that enables innovation while enforcing against criminal and bad actors, according to Arnold.

They will also offer a full spectrum of tools, including clear guidance, sandboxes, more engagement and enforcement when needed. Arnold also suggested it will prioritize "upstream interventions" to help prevent harm in addition to targeted enforcement. "We make the biggest impact when we invest upstream to prevent harm — but not at the expense of taking action when things go wrong."

Arnold was also careful to point out that there will not be any major day-to-day changes in how organizations engage with the commission, at least in the near term. It will not directly affect casework or interactions either. 

Technology and AI: Regulating through use

Arnold said it will be important for the commission to use modern technology internally, such as AI, in order to regulate them credibly. On a personal note, he explained that modern technology has profoundly transformed his own ability to work and participate in his profession. Earlier in his career, he needed "a whole kind of extra real estate in terms of assistive tech … Now I do a day's work with the phone in my pocket, the iPad in my hand and the specs on my face.” 

For the commission, he said it is adopting AI internally, responsibly and transparently. Part of the reasoning is that it strengthens an understanding of the real-world risks, the benefits as well as use cases. 

"We published our internal AI use guidance because we wanted to be completely transparent," he said. "We're using this technology, and managing the risks by using it responsibly." 

Arnold also discussed the nonbinary nature of privacy. "It's not about saying technology is good or bad," he said. "It's about understanding the intended use, the risk, and how they can be mitigated so benefits can be realized safely." 

Arnold added, "It's no longer possible to be an effective privacy regulator by standing on the sidelines saying, 'Don't forget about privacy.' We have to be in the conversation."

Jedidiah Bracy is the editorial director for the IAPP.