Context
Context
John Edwards, UK Information Commissioner, made a speech at the ICO’s annual Data Protection Practitioners’ Conference. The agenda included practical insights from both guest speakers and ICO experts. Achievements of women in science, technology, engineering and maths were celebrated and the keynote speaker was Ivana Bartoletti, co-founder of the Women Leading in AI network and expert in all things AI, privacy and trust.
Key points to note and next actions
Excerpts from the speech included the following:
On AI and Cybercrime:
“Nearly 10 per cent of the world’s adult population is now thought to use it and more than half the people in the UK have used or regularly use a chatbot or LLM.”
“If you follow our work closely, you’ll be aware of our focus on AI, biometrics and other emerging technologies this year. If used responsibly and with proper oversight, AI has huge potential to improve how we do our jobs and meet the public’s needs. Only yesterday, the Government launched its new initiative to upskill all civil servants with AI training. We’re adopting a similar approach at the ICO too, looking at how AI and automation can support our processes and improve the services we provide.
Businesses also need to be agile to respond to the growing threat of cybercrime. Recent headlines are a timely reminder that cyber-attacks can happen to any organisation. They can happen to yours too. You are already a target – you can’t change that. What you can change is the likelihood that an attack will succeed. Data Protection Officers are often not responsible or solely responsible for cybersecurity. But it is more important than it has ever been for you to be working hand in glove with your information security teams. Why not seek them out after today?
Ask them some practical questions: Have we deployed multi-factor authentication everywhere it is available, or at least at the parts of the organisation with greatest access rights? Are we scanning for vulnerabilities regularly and comprehensively? Have we installed the latest security patch? Do we have metering to monitor data outflows? Can I get a regular update from our Chief Information Security Officer? What about the basics? Have we enrolled for the NCSC’s Cyber Essentials?
You will soon get a sense of whether your organisation has invested in the fundamentals, or whether this needs to be an immediate priority.”
On the ICO and their work:
“My office has responded at speed to the Data (Use and Access) Act and its changes to the law.”
“This will be the last DPPC we deliver as the ICO. From April 2026, we will be the Information Commission.
You shouldn’t notice much difference as we transition to our new governance structure. We’ll still be here to help you, providing the same certainty and support via our guidance, advice and services. You will have started to see our new DUAA guidance that explains exactly what the changes mean for your organisation. Our teams are working hard to get the most important guidance out as quickly as possible – such as on international data transfers and automated decision making.”
“We have consultations open until the end of the month on complaints and recognised legitimate interests, so please do share your views and help shape our guidance.“
“Over the past year, the ICO has been using all the regulatory tools available to us – producing guidance and advice, engaging with companies, conducting audits, taking enforcement action with fines, reprimands and warnings, and leading criminal prosecutions. This has led to a raft of positive and timely outcomes for the public, whether that’s making the online world safer for young people with our Children’s Code, securing assurances from police forces on facial recognition technology or ensuring tech companies address our concerns before launching new products and services in the UK.“