In his first public address as UK Information Commissioner, Edwards offers certainty in uncertain times
Since becoming UK Information Commissioner on January 4, John Edwards has been very busy. Towards the end of this month he announced a major listening tour, complemented by a series of events across the UK to hear directly from companies, organizations and individuals about their experiences with the Office. of the Information Commissioner. It comes at a busy time for data protection regulation in the region, as the UK considers an update to the UK’s General Data Protection Regulation and adjusts to a post-Brexit relationship with the EU. EU.
In his first major public address as UK Commissioner, held here in London at the IAPP Data Protection Intensive: UK, Edwards was clear with his message: “I want to reassure you that my aim is to bring certainty about what the law requires of you and your organizations, and how the regulator operates, and certainty, too, for people of what their rights are.
Indeed, there is a lot of talk about the UK government’s GDPR reforms. Last autumn, the UK Department for Digital, Culture, Media and Sport opened a public consultation on a series of data protection reforms. The extensive consultation covered data protection officer requirements, data subject access requests, data protection assessments, among others. (A deeper dive on the proposed reforms can be found here.)
“From the day my appointment was confirmed,” Edwards said, “people, ministers, parliamentarians and journalists were asking me what my priorities were, what I was going to do in my first 100 days. it was a bit presumptuous to come here from a different jurisdiction with different laws and cultural traditions and start arguing about solutions and fixes for a system that I was unfamiliar with.”
Edwards, who is from New Zealand and formerly its privacy commissioner, wanted to allay concerns about uncertainty in the data protection space. “The proposed reform should not be seen as radical. And while there is always a cost to moving from one regulation to another, there is nothing in what is proposed that imposes additional burdens on On the contrary, I see a clear intention to reduce the regulatory burden, in order to create a streamlined law that more effectively protects the rights of individuals.”
He added: “My commitment to you is that once Parliament decides on the appropriate regulations, we at the ICO will devote ourselves to ensuring that the transition is seamless and as painless as possible.”
Naturally, any reform of the UK’s GDPR potentially jeopardizes the region’s adequacy agreement with the EU. But Edwards also wanted to ease concerns here. “Given that DCMS is committed to high standards, I find it hard to see how the legal protections will be less in Cardiff than those afforded in Copenhagen.”
The ICO also plans to deliver its three-year plan, which it calls ICO25, “setting out our values, aspirations and priorities” later in the year.
Edwards shared his comments on his listening tour, including the need to improve the advice offered to groups of people who may not know their rights, including migrants, victims of sexual assault and non-English speaking communities.
He also said organizations want more certainty on how the ICO will respond to complaints.
In response, Edwards said he was looking at “assurance for positions offered by revenue and tax authorities” in which organizations can ask their regulators, “‘If I take this approach, how are you going to deal with it? ?’ The answer is a binding decision that gives an organization the certainty to set aside its money and invest in an innovation.” Although the ICO currently has a version of this with its Sandbox, Edwards said, “I would like to explore if we can offer broader insurance guidance,” offering a “faster and more effective regulatory position than s ‘Press ex-post enforcement.’
The other important topic that Edwards is most concerned about is the role that fines play in law enforcement.
Although he said they have a role to play, “fines are a slow way to find certainty.” Instead, Edwards said, “The view I form is that our extensive enforcement efforts must be used with surgical and targeted application.”
In addition to his prepared speech, Edwards took questions from the audience and directly addressed concerns that the DPO requirement could be relaxed in UK government reforms. While he’s not sure what will happen with the proposal, he doesn’t think making DPDs non-mandatory “will change the incentives within organizations to not prioritize data protection” , adding that “the importance of the role will endure regardless of the regulatory approach to legislative reforms.”
Ultimately, Edwards said he wanted people to see “a nimble and curious ICO” and as a regulator “that moves quickly and fixes things.”
📺Watch below to hear his thoughts on his listening tour so far.
— ICO – Office of the Information Commissioner (@ICOnews) March 23, 2022