Main content

UK data protection regulator unveils new three year strategy to ‘safeguard and empower people’

Derek du Preez Profile picture for user ddpreez July 14, 2022
Under new leadership, the Information Commissioner’s Office has published a comprehensive strategy that details how it will regulate and prioritise its data protection work over the next three years.

Hand touching screen with icons thrown out from screen, SaaS finance tech stack internet of things concept © JoeZ - Shutterstock
(© JoeZ - Shutterstock)

The UK’s data protection regulator - the Information Commissioner’s Office - has today published its new three year plan, which sets out its regulatory priorities and ambitions. The ICO25 document is comprehensive in detail and lays out some clear targets for which to measure success against, which is welcome. 

The strategy is wide ranging and takes into account issues that range from predatory marketing calls, to the use of algorithms in the benefits system, to the impact of using AI in recruitment. 

The ICO is under new leadership, with John Edwards replacing Elizabeth Dunham as Information Commissioner late last year. Edwards previously served as New Zealand’s privacy commissioner, where he was responsible for introducing the country’s 2020 Privacy Act, and today’s strategy gives us a clearer idea of where the organization is headed under his stewardship. 

The ICO25 document also comes at a time when the UK is considering its overall approach to data protection regulations outside of the European Union, where it has outlined ambitions to navigate away from GDPR and introduce a new “pro-growth and trusted data regime”. It is expected that the Data Reform Bill will be put before Parliament later this year. 

Speaking at the launch of the IC025 plan today, Information Commissioner John Edwards said: 

Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law. Certainty in what the law requires, coupled with a predictable approach to enforcement action, that allows businesses to invest and innovate with confidence. And the flexibility to reduce the cost of compliance.

That support for business and public sector is important in itself, but it is ultimately a means to an end. We help business to help people.


The strategy is worth reading in full, but there are a number of key areas that the ICO is planning to focus on as a priority, particularly as it thinks about safeguarding the most vulnerable. The document states: 

We need to even up the power balance between those who hold our most precious data and the most vulnerable who hand over their data, often with little knowledge of their rights. 

People need confidence in their privacy in order to participate in society – to share their personal information to access innovations and services, confident their • information rights will be respected. 

That is particularly true of vulnerable groups who have no choice but to share their information with organisations in order to be able to access services and receive the support they crucially need.

Specifically, the ICO has said that it will look at: 

  • AI-driven discrimination - the Commissioner believes that this can have damaging consequences for people’s lives and cites examples such as being rejected for a job or not getting the financial support they’re entitled to. It will also set out its expectations through new guidance for AI developers on ensuring that algorithms treat people and their information fairly. 

  • Biometric technologies - gait analysis, facial recognition, iris scanning and fingerprint scanning are becoming cheaper and more powerful, and the ICO wants to be alert to the risks associated with these tools - especially emotion recognition technologies, which can discriminate against certain vulnerable groups. It will work with industry to set out its expectations on how these technologies should be used and investigate how the technologies are being deployed for any adverse impacts. 

  • Online tracking - the ICO plans to work with government, industry and other regulators to give web users “meaningful control” over how they are tracked online and move away from cookie pop-ups. 

  • CCTV - the regulator will look at how this technology is being used in various settings, in particular the use of CCTV in care homes. Guidance will follow. 

  • Deprivation - the ICO also will have a keen eye on issues that could exacerbate the cost of living crisis, including: how the financial industry use and collect intelligent databases; how algorithms are using within the benefits system; how targeted ads of gambling are used on social media; and how predatory marketing calls and data-enabled scams target vulnerable people online. 

  • Personal safety - the regulator will be assessing how police forces collect personal information from victims of rape and serious sexual assault cases, as well as data sharing to prevent domestic homocide and support safeguarding. 

Commenting on the ICO’s priorities, Edwards said: 

My most important objective is to safeguard and empower people, by upholding their information rights. Empowering people to confidently share their information to use the products and services that drive our economy and society.

My office will focus our resources where we see data protection issues are disproportionately affecting already vulnerable or disadvantaged groups. The impact that we can have on people’s lives is the measure of our success. This is what modern data protection looks like, and it is what modern regulation looks like.

Additional points

The ICO also recently laid out its revised approach to public sector fines, where it said that money is best used to support the delivery of essential services, and as such, it will work closely with government organizations to ensure money is not diverted away from where it is needed most. The regulator is also going to create a cross-Whitehall Senior Leadership Group with the aim of driving compliance and high standards of information across government. 

The ICO has also that that it will: 

  • publish internal data protection and freedom of information training materials

  • create a database of ICO advice provided to organizations and the public

  • produce a range of templates to help organizations develop their own approaches

  • create an ICO moderated platform for organizations to discuss and debate compliance and share information and advice

  • develop a range of ‘data essentials’ training, specifically aimed at SMEs whose involvement with data protection is a by-product of their core activity

  • set up iAdvice to offer early support for innovators

Speaking at the launch today, Edwards said: 

There are few regulators who can say their work is of fundamental importance to the democracy on which society exists. But that is the value of the Freedom of Information Act. My role is to ensure the administration of that law is fit for the modern world.

But to achieve that requires fundamental change. And that change has to start in my office. The proposals I set out today involve trying different approaches. Some may work well, some may not work, some may need tweaking. But it is absolutely clear to me that in a world of increasing demand, and shrinking resources, we simply cannot keep doing what we’ve been doing and expect the system to improve.

A grey colored placeholder image