UK data watchdog draws up plans for 'data protection by design'

A padlock on a motherboard surrounded by keys

The Information Commissioner's Office (ICO) plans to create a "regulatory sandbox" as part of its first ever technology strategy to help organisations build adequate data protection into their products before they are released.

The scheme forms part of the UK data watchdog's wider Technology Strategy, announced yesterday, which outlines eight priorities for the regulator between now and 2021, including educating both businesses and the public on emerging technologies such as AI and big data.

One of those goals will be the creation of a sandbox that provides a means for organisations to test products and services they produce against the regulatory requirements enforced by the EU's incoming General Data Protection Regulation. The ICO hopes this will allow for "data protection by design", where adequate safeguards can be baked into a product as it's being created.

The sandbox will draw upon an existing model that was deployed by the Financial Conduct Authority in 2016, which allows companies to test products, services, business models, and delivery mechanisms in a controlled environment to ensure consumer protections are in place.

Consultations with the tech industry on the creation of the sandbox are expected to begin later in the year.

The regulator also plans to tackle a lack of internal expertise in fields proving to be the most disruptive for businesses, with it committing to reskill and retrain its own employees. Specifically, the ICO wants to develop a better understanding of areas such as cyber security, artificial intelligence, big data, machine learning, and IoT.

This will partly be remedied through the creation of technology apprenticeships at the ICO in partnership with UK universities, and by engaging with tech-focused professional bodies, academics, and industry and public sector networks, according to the regulator.

As part of this initiative, the ICO will create a two-year postdoctoral role looking at the effect of AI on data privacy. It will also establish an annual ICO conference on Data Protection and Technology to help showcase industry innovations, and a "panel of forensic investigators" that will support current regulatory investigations.

The 2018-21 strategy is underpinned by the idea that new technologies should not come at the expense of data protection and privacy rights, according to information commissioner Elizabeth Denham.

"Staying relevant in the context of ever changing technology must become a core component of the ICO's strategic goals, otherwise the ICO will fail to deliver the regulatory outcomes the public expect," said Denham.

The Technology Strategy will support an existing four-year Information Rights Strategic Plan announced in 2017 - an effort to increase public trust in government, public bodies and the private sector when it comes to user data.

Image: Shutterstock

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.