Since becoming U.K. Information Commissioner Jan. 4, John Edwards has been busy. Near the end of that month, he announced a major listening tour, complete with a series of events across the U.K. in order to hear directly from businesses, organizations and individuals about their experiences with the Information Commissioner's Office. It comes at a busy time for data protection regulation in the region, as the U.K. considers an update to the UK General Data Protection Regulation and adjusts to a post-Brexit relationship with the EU.
In his first major public speech as the U.K. commissioner, held here in London at the IAPP Data Protection Intensive: UK, Edwards was clear with his message: "I want to reassure you that my focus is on bringing certainty in what the law requires of you and your organizations, and in how the regulator acts. And certainty, too, for people of what their rights are."
Indeed, there is much discussion about the U.K. government's reforms of the UK GDPR. Last fall, the U.K. Department for Digital, Culture, Media and Sport opened a public consultation on a series of data protection reforms. The wide-ranging consultation considered data protection officer requirements, data subject access requests, data protection assessments, among others. (A deeper dive on the proposed reforms can be found here.)
"From the day my appointment was confirmed," Edwards said, "people, ministers, parliamentarians and journalists were asking me what my priorities were, what I was going to do in my first 100 days. I thought it was a bit presumptuous to arrive here from a different jurisdiction with different laws and cultural traditions and start pronouncing on solutions and fixes for a system I was unfamiliar with."
Edwards, who is from New Zealand and previously served as its privacy commissioner, wanted to assuage concerns about uncertainty in the data protection space. "The proposed reform should not be seen as radical. And while there is always a cost in moving from one regulation to the next, there is nothing in what is proposed that imposes additional burdens on businesses. If anything, I can see a clear intention to reduce regulatory burden, in order to create a streamlined law that more effectively protects people's rights."
He added: "My undertaking to you is that once parliament has decided on the appropriate regulation, we at the ICO will devote ourselves to ensuring that the transition is seamless, and as painless as possible."
Naturally, any reforms to the UK GDPR potentially puts the region's adequacy agreement with the EU at risk. But Edwards wanted to mitigate concerns here, as well. "Given DCMS have committed to high standards, I struggle to see how the legal protections will be less in Cardiff than is afforded to those in Copenhagen."
The ICO also plans to provide its three-year plan, which it's calling ICO25, "setting our values, aspirations and priorities" later in the year.
Edwards offered some feedback from his listening tour, including the need for improved guidance afforded to groups of people who may not know their rights, including migrants, victims of sexual assault and non-English speaking communities.
He also said organizations want more certainty on how the ICO will respond to complaints.
In response, Edwards said he's looking at the "assurance for positions offered by tax and revenue authorities" in which organizations can ask their regulators, "'If I take this approach, how will you treat it?' The response is a binding ruling that gives an organization the certainty to put their money down and invest in an innovation." Though the ICO currently has a version of this with its Sandbox, Edwards said, "I'd like to explore whether we can offer broader assurance advice," thereby offering a "quicker and more effective (regulatory position) than relying on ex-post enforcement."
The other significant subject top of mind for Edwards is the role fines play in enforcement.
Though he said they have a role to play, "fines are a slow way to find certainty." Instead, Edwards said, "The view I am forming is that our significant enforcement efforts must be used with surgical and targeted application."
In addition to his prepared speech, Edwards took questions from the audience and directly answered concerns that the DPO requirement may be softened in the U.K. government reforms. Though he is unsure what will happen with the proposal, he doesn't believe making DPOs non-mandatory "will change incentives within organizations to de-prioritize data protection," adding that "the importance of the role will endure regardless of the regulatory approach of the law reforms."
Ultimately, Edwards said he wants people to see "an ICO that is agile and curious," and as a regulator "that moves fast and fixes things."
John Edwards (@JCE_IC) reflects on his first speech as Information Commissioner at this morning's @PrivacyPros event.
— ICO - Information Commissioner's Office (@ICOnews) March 23, 2022
?Watch below to hear his thoughts on his listening tour so far.
To learn more about the listening tour: https://t.co/bCXvyGJh5i#DPI22 pic.twitter.com/asjYkqrkRf