On 8 October 2024 the Information Commissioner's Office (ICO) held its annual Data Protection Practitioners' Conference.
It was an opportunity for nearly 6,000 data protection professionals to come together to hear about the ICO’s recent, current, and future work. This article discusses the key takeaways from the conference and some of the updates that your organisation needs to be aware of.
The keynote speech from Information Commissioner John Edwards highlighted the ICO’s key message this year, which is that organisations who wish to deploy AI in their business for either internal or external purposes must do so safely. To ensure safe AI deployment, the ICO stressed the importance of undertaking appropriate risk assessments, such as data protection impact assessments, and effective stress testing before development and/or deployment.
Whilst the ICO recognises that quantum computers are still in the relatively early stages of development, the ICO stressed the importance of preparing for the quantum age. This is because quantum computers will be able to cause serious data protection concerns due to their ability to break widely used cryptographic algorithms that protect our data. Given that all organisations process personal data, albeit to varying degrees, quantum computers pose a serious security threat to the security of this processing.
However, the ICO acknowledged that it's mainly large organisations, particularly in sectors such as digital service providers and financial institutions, which should commence serious preparations at this stage. For example, these organisations should prepare by identifying and reviewing at-risk information, systems, and cryptography and also through keeping cybersecurity policies up-to-date. For more information on this, please see the ICO’s recent blog post which can be found here.
On the topic of cybersecurity, the ICO reiterated its importance and encouraged organisations to prepare the people, and not just the technology. By this, the ICO means that building strong relationships with your IT team and increasing cyber security awareness and literacy across the business can go a long way to avoid and mitigate cyber incidents.
The ICO also stressed the importance of taking simple but effective steps to avoid incidents, such as implementing two factor authentication and putting strong passwords in place. The ICO also encouraged organisations to obtain Cyber Essentials and Cyber Essentials Plus certifications, and where possible only contract with suppliers who also have these certifications. This is because whilst suppliers may often refuse to engage with your cyber risk assessments, at least if they have a Cyber Essentials certification in place you know that they have been engaging with the security process as a whole.
The ICO has launched its new audit framework which is designed to help organisations assess their own compliance with key requirements under data protection law. The framework is aimed at larger organisations, and the ICO suggests that SMEs should still focus on the existing resources in their web hub and their self-assessment toolkit. The aim of the new framework is to 'empower organisations to identify necessary steps to improve their data protection practices and create a culture of compliance'.
The new framework extends the ICO’s existing Accountability Framework by providing nine toolkits covering:
Helpfully, each individual toolkit has a downloadable data protection audit tracker which will help you conduct your own assessment of compliance, allowing you to track actions that you need to take to improve compliance in certain areas. Trackers of this sort are really helpful to demonstrate accountability, which is one of the key principles under UK data protection law.
If you would like help applying the new audit framework to your organisation or if you have any queries to help you comply with your obligations under UK data protection law, please get in touch with our privacy and data team.