The ICO publishes its three year strategy

This week the ICO published its strategic plan for the next three years in a document called ICO25


The ICO’s three-year plan sets out the specific focus of the public body. We have summarised some key areas below that we expect will see greater development, guidance and enforcement.

In addition to the broad objectives, the ICO25 sets up a programme of annual priorities. It will be interesting to see how these develop and whether there will be much change in subsequent years. Whilst the ICO’s focus until October 2023 covers a variety of areas, we have set out some of the key ones for businesses below:

Subject Access Requests – The ICO wants to create a new subject access request tool. This will generate template requests for individuals that can be sent to businesses accompanied by additional guidance and support from the ICO. Whilst this should help in ensuring subject access requests are more consistent, businesses may be concerned that this tool will lead to an increase in the number of such requests they receive.

Children’s Privacy – This continues to be a major concern for the ICO and it wants to push further changes around age gating for social medial platforms, media and music streaming sights and gaming platforms. It also wants to continue its enforcement of the Children’s Code and align it with any changes required by the Online Safety Bill (though we note that this bill is currently on hold until a new Prime Minister is appointed).

Safeguarding the Most Vulnerable  This is a broad area of focus that covers several potential issues, but the general principle is the ICO wants to ensure that technological change does not unduly affect certain groups. Some of the areas of concern are:

  • how AI tools can drive discrimination, particularly in the field of recruitment;
  • how the deployment of technologies such as facial recognition and iris scanning can adversely impact vulnerable groups; and
  • considering how other issues are aggravating, or are aggravated by, the current cost-of living crisis, in particular the use of adtech for gambling on social media and predatory marketing calls.

The ICO25 was not clear in all instances how it intends to deal with these issues in practice, but it commits the ICO to engaging with various stakeholders to develop controls and guidance.

Interestingly, international transfers of personal data do not appear to be a focus for the ICO over the coming year (other than some minor points about improving the BCR application process and advising Parliament on potential adequacy decisions). This is particularly interesting as it remains a hot topic in Europe, where the impact of Schrems II is still being felt and a new “Privacy Shield 2.0” governing transfers to the US was announced earlier in the year.

ICO25 is open for consultation until 22 September and it will be followed by a programme explaining the changes the ICO will make to meet the targets on a quarterly basis.