As the Internet of Things rises, the UK’s Information Commissioner’s Office (ICO) has published its first technology strategy. The document outlines an eight-point, four-year programme for handling both the opportunities and risks of digitisation.
The UK government has placed new technology at the heart of its new industrial strategy, with digital now the fastest-growing area of the economy, according to Information Commissioner Elizabeth Denham.
For example, this week, the government launched the Office for AI, the new Sector Deal for AI, and recently announced the establishment of the Centre for Data Ethics and Innovation.
Changes in technology were one of the key drivers in reforming European data protection laws, leading to the introduction of the General Data Protection Regulation (GDPR) in May 2018, says Denham.
“The GDPR contains new provisions to better regulate the risks arising from technology, including data protection by design and data protection impact assessments. These advances need not come at the expense of data protection and privacy rights,” she explains.
The ICO’s approach to technology will be underpinned by the concept that privacy and innovation are not mutually exclusive.
“When they both work together, this creates true trust and data confidence. Technology is therefore viewed by the ICO as both a risk and an opportunity.”
This is why the ICO has published its Technology Strategy 2018-2021. The document sets out eight goals for the organisation, which upholds information rights in the public interest.
The new goals cover not only the organisation’s internal policies, but also how it plans to use its place at the heart of the UK’s data landscape to help organisations succeed – and to inform the public.
The ICO’s eight technology goals are:-
To ensure effective education and awareness for ICO staff on technology issues
“We will develop training programmes for ICO staff to develop their technical knowledge and understanding at a level appropriate to their role,” says the ICO. “This training will aim to develop core knowledge of how essential technologies work, and further learning on new and emerging technologies.”
To provide effective guidance to organisations about how to address data protection risks arising from technology
“As well as developing guidance to support the technology priority areas we have identified, we will update our existing technology guidance to reflect the requirements of the new provisions in the GDPR, the Directive on security of Networks and Information Systems (NIS), and ePrivacy regulation,” says the ICO.
“We will promote the use of data protection design by default, and demonstrate how these contribute to the UK economy and growth. We will also write new guidance about these provisions in the GDPR. Guidance and compliance advice provided by the ICO will be technically feasible and proportionate.”
The ICO says it plans to publish an annual report on the “lessons learned” from the cyber breaches reported to the ICO, and on the technology issues emerging from Data Protection Impact Assessments.
“We will keep organisations informed about emerging risks and opportunities arising from technology in an appropriate and timely manner,” it adds.
To ensure the public receives effective information about data protection risks arising from technology
“We will write new content for the ICO website to ensure that we keep individuals informed about emerging risks and opportunities arising from technology in an appropriate and timely manner,” promises the ICO.
In addition, the ICO says it will develop new partnerships to broaden its messages to the public, about both the data protection risks and the opportunities arising from new technology. “We will seek to amplify messages and key information from trusted partners, such as the National Cyber Security Centre (NCSC),” it adds.
“We will ensure that the outputs from our GDPR Consumer Messages Project can be tailored and used to provide information about how GDPR rights interact with mainstream and new technologies.”
To facilitate new research into data protection risks and data protection by design
“We will draw on high-quality internal and independent external research and expertise that is relevant to our technology priority areas to develop a comprehensive understanding of these technologies,” says the ICO.
The ICO adds that it will deploy business intelligence (BI) to understand new areas of public concern and address frequently asked questions. It will also “carry out research and investigations into new and emerging technologies in order to inform our future priority areas” it says.
To recruit and retain staff with technology expertise to support delivery of the strategy
“In line with the ICO’s strategic approach, we will use secondees from external organisations to complement and support our established technology team,” says the organisation. “We will also explore the possibility of establishing technology apprenticeships at the ICO, working with relevant universities and other education partners.”
The ICO adds that it will establish a panel of forensic investigators to support its regulatory work.
To establish new partnerships to support knowledge exchange with external experts
“We will develop a new stakeholder engagement map focused on technology,” says the ICO.
It continues: “The ICO will seek to engage with the following communities to develop stronger or new partnerships: Professional bodies focused on technology; academic technology networks and university departments focused on technology; public sector technology networks; and industry bodies focused on technology.
“We will work with cross-sector bodies to embed data protection by design in emerging standards. And we will establish Technology Fellowships for post-doctoral experts to enable us to increase our in-house advice and expertise on technology priority areas.”
The ICO says that its first appointment will be in a two-year post-doctoral role to investigate and research the impact of AI on data privacy, encompassing big data and machine learning.
“We will revise and reconstitute our technology reference panel with new terms of reference to ensure we receive expert advice and strategic insight into emerging technologies,” it continues.
We will develop a new ‘call for evidence’ process to enable us to receive insight into the data protection risks and opportunities posed by different technologies. We will also hold expert roundtables on each of the priority areas.
Also on the agenda will be a new annual conference on Data Protection and Technology.
To engage with other regulators, international networks and standards bodies
“The ICO’s international strategy sets out the goals for international activity,” says the report. “It makes clear that the ICO will prioritise international engagement on issues related to global privacy risks arising from the application of new technologies.”
The ICO adds that it will also explore new links with international bodies, and with regulatory networks that don’t focus on data protection themselves, but have an important influence on developing global technology standards that affect data protection.
To engage with organisations in a safe and controlled environment to understand and explore innovative technology
“We will establish a ‘regulatory sandbox’, drawing on the successful sandbox process that the Financial Conduct Authority has developed,” says the ICO.
The ICO sandbox will “enable organisations to develop innovative digital products and services, while engaging with the regulator, ensuring that appropriate protections and safeguards are in place,” it says.
As part of the sandbox process, the ICO will provide advice on mitigating risks and data protection by design.
Internet of Business says
Data protection by design is the strong theme in the ICO’s new technology strategy, and it is one that lies at the core of GDPR, too.
For IoT specialists in particular, this is an important message: data protection, privacy, and cybersecurity should not be afterthoughts in smart, connected, data-gathering systems. As Denham says, innovation and privacy are not mutually exclusive concepts.