The new head of the U.K. Information Commissioner’s Office (ICO) wants to bring greater certainty for companies regarding their data compliance needs, especially if the government’s drive to reduce regulatory burdens results in the European Union withdrawing its data adequacy decision.
In his first major speech, Information Commissioner John Edwards told attendees at a conference organized by the International Association of Privacy Professionals on Wednesday that “a streamlined law that more effectively protects people’s rights should not put adequacy at risk,” adding “the proposed reform should not be seen as radical.”
In September, the U.K. Department for Digital, Culture, Media, and Sport opened public consultation on a series of data protection reforms. The strategy seeks to retain the EU’s General Data Protection Regulation (GDPR) as a framework while striking separate data adequacy agreements with the United States, Australia, South Korea, Singapore, Dubai, and Colombia to boost post-Brexit trade.
Edwards said Wednesday the proposed changes will reduce companies’ compliance requirements rather than add to them and should not impact negatively on level of data protection.
“I struggle to see how the legal protections will be less in Cardiff than is afforded to those in Copenhagen,” he said.
However, Edwards acknowledged, “Ultimately, the decision to grant adequacy rests with the EU.”
If the United Kingdom does proceed with its reforms, Edwards said he wanted to reassure businesses his focus “is on bringing certainty in what the law requires of you and your organizations and in how the regulator acts.”
More generally, Edwards wants better engagement with businesses following criticism the regulator’s response to complaints is “unpredictable.”
He hinted the ICO might review and adopt approaches taken by other regulators that “would offer a way to set out our regulatory position that is quicker and more effective.”
“I am struck by the assurance for positions offered by tax and revenue authorities around the world that allow an organization to say, ‘If I take this approach, how will you treat it?’” said Edwards. “They put their money down, they get an undertaking from the regulator, and they are then able to invest with confidence. Why can’t we do the same thing in privacy?”
In terms of enforcement, Edwards said while he doesn’t have a problem with fines, he believes they “are a slow way to find certainty.”
“Each one takes a great deal of time and resource to put a single stake in the ground, and it takes so many of these stakes to mark out a perimeter that gives certainty on what the law says and how we will apply, interpret, and enforce it,” he said.
So far, just seven GDPR fines have been issued by the ICO, according to the GDPR Enforcement Tracker.
Edwards believes enforcement efforts “must be used with surgical and targeted application.”
“A big fine must serve a broader purpose of bringing certainty to an issue or sector,” he said. “And there must be certainty about why we have chosen to take action.”