‘A Regulator Who Empowers’: The UK’s New Information Commissioner Has a New Action Plan

Karima Noren, former Head of Legal for Emerging Markets at Google and co-founder of the Privacy Compliance Hub, was invited to attend the launch of the ICO25 strategy. She believes it’s a more pragmatic vision of data regulation that should help companies innovate with confidence.

The UK’s newest Information Commissioner, John Edwards, started his speech on 14 July with a story. He’d received an email from someone who’d been the victim of insensitive and intrusive police practices in the aftermath of a traumatic assault. She’d got in touch to say thank you after he published an opinion outlining the changes he wanted to see in relation to how police forces handle personal data. “This is why we do this work,” he added. “This is what modern data protection looks like.”

For the private sector, Edwards has a vision of a regulator that empowers, rather than restrains. There are plans for sector-specific support, proposals to save businesses money, and a pledge to make compliance simpler to achieve. People will be able to “confidently share their information to use the products and services that drive our economy and society,” he said. And organisations will be able to “use information responsibly and confidently to invest and innovate”.

It’s a high bar indeed. Here’s how he plans to do it:  

Focused Efforts

One of the most striking things about the Commissioner’s speech was the acknowledgement of the ICO’s limited capacity. Edwards suggested it needs to focus its efforts, rather than trying to “spread itself too thinly across the whole economy”. In doing so, he plans to target the ICO’s resources where they have the greatest effect, which to me sounded like a mature and pragmatic approach to what the ICO should, and crucially, shouldn’t be doing. Key areas include support for the most vulnerable communities, work on children’s online privacy, addressing AI-driven discrimination and the use of biometric technologies, influencing the future of online tracking and examining how CCTV is being used.

Certainty and Flexibility

The three-year ICO25 strategy is underpinned by that clear statement of intent to empower people and organisations. “Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law,” he added. The ICO plans to help businesses innovate responsibly, in part through a new bespoke iAdvice service that will evaluate new products or services before release (making sure they’re not in breach of any privacy laws). There is a trade off of course. If the ICO simplifies compliance by providing certainty, there are no excuses for those who fail to comply. “You will find yourselves on the receiving end of our most punitive regulatory tools,” Edwards added.

Encouraging Growth For All

It was also refreshing to hear how the regulator plans to help companies of all sizes achieve ‘sustainable economic growth’. The strategy document zeroed in further, talking about how the ICO would be “focusing our efforts on those at the cutting edge of innovation or legitimately without in-house support, such as SMEs”. Crucially he promised the ICO would help reduce the cost of compliance. “I’ve challenged the team to save businesses at least £100 million across the next three years,” he said. 

Clear Goals

Edwards willingness to make the ICO itself more open, transparent and accountable really resonated with me. To facilitate that, the ICO25 includes a detailed plan, SMART goals and clear KPIs against which performance can be judged. These include ensuring the ICO helps to build customer confidence in how information is looked after, and that it helps to grow global trade, supports business growth and “reduces burdens on business”.

But while it was a positive step for the ICO, I was disappointed that Edwards didn’t place more emphasis on the need to collaborate with the wider privacy ecosystem, including consultants, campaign groups and other experts. We have the same vision and ambition to fix the privacy crisis by providing businesses with practical tools and guidance. We need to work together to make that a reality.

The ICO25 strategy is open for public consultation until 22 September. Think you could be doing better on privacy? Try our free GDPR health check.  


Karima Noren
Co-Founder, The Privacy Compliance Hub

As the former Head of Legal for Google’s Emerging Markets, Karima Noren has extensive experience implementing compliance programs for companies. She started out at Ashurts in the City, but moved to work with technology companies in 2004. Karima has since founded several companies, including co-founding The Privacy Compliance Hub with Nigel Jones. The Privacy Compliance Hub is a comprehensive privacy, data protection and GDPR solution which tells organisations what to do, how to do it, who should do it and when. The Hub provides organisations with their own private, secure online platform from which organisations can manage privacy, data protection and GDPR compliance and demonstrate that compliance to customers and regulators. Their clients now include Channel 4, Outbrain, GoCardless.