Reflections on six months in the ICO Legal Services Team | Allen & Overy LLP – JDSupra
It’s 1 September 2022 and I’m back at my desk at Allen & Overy having spent the last six months on secondment to the Legal Services team at the UK Information Commissioner’s Office. So how did it go?
A great opportunity
In my seven years at A&O I have spent much of my time advising organisations from small charities to large multinationals on data privacy and cybersecurity compliance. This is alongside my broader role of supporting clients negotiating complex commercial arrangements, or undertaking M&A, often in areas involving new technologies and challenging data privacy and cybersecurity risks.
The opportunity to spend six months in the ICO legal team was one not to be missed. The ICO has had legal secondees before but March 2022 marked the start of a new, regular secondment programme. The ICO workforce has grown exponentially in recent years with the introduction of the GDPR and, as the ICO’s legal team expands, it is great to see the willingness to engage with the private sector and to learn from the lived experiences we have advising clients on the ground.
Unsurprisingly the ICO grapples with many of the same questions as we do in private practice, from the practicalities of achieving true anonymisation and the scope of joint controllership to the challenges posed by Schrems II and many other things. The secondment has given me the opportunity to contribute to the ICO’s work in a number of these areas, bringing a fresh perspective whilst also learning about how the ICO creates policy and delivers guidance on these topics to a wide variety of stakeholders.
A period of change
My time at the ICO coincided with a period of change for UK data protection (“we’ve been in a period of change for the past decade!”, I hear you cry).
These changes come against a backdrop of Brexit and the Covid-19 pandemic, and at the same time as a new Online Safety Bill makes its way through Parliament.
All of this has made it an exciting time to be at the ICO as the organisation prepares for these developments whilst continuing to pivot and upskill to deal with challenges posed by newer technologies such as the use of AI and the processing carried out across the complex Adtech ecosystem. The ICO has also recently consulted on a new Regulatory Action Policy, which will provide an important guide to enforcement activity in the future and help deliver some of the certainty promised by ICO25.
My experience has given me a renewed appreciation of the breadth of important and interesting work the ICO is doing. Whether it is engaging with the Government on the data reforms or working with industry bodies on codes of conduct and certification schemes, the ICO’s work requires consideration of the views of many stakeholders, from businesses large and small, to public authorities and most importantly, the people whose personal data the law seeks to protect. This is done whilst navigating complex public law requirements, responding to consultations from Whitehall and the devolved administrations, and seeking to modernise to ensure it can be an effective regulator in the future.
I was able to see first-hand how the ICO’s Regulatory Sandbox team provide organisations with real practical advice and assurance to help them design innovative new products and technologies in a way that complies with data protection requirements.
The legal team plays an important role in helping the ICO develop policy across the board, no more so than in the field of international data transfers. As well as publishing its template International Data Transfer Agreement earlier this year, and recently updating its guidance on BCRs, the ICO retains an important consultation role as part of the Government’s adequacy assessments.
Much of the privacy work I did in 2021 and early 2022 was spent advising clients on carrying out transfer impact assessments, and working through the practical and legal difficulties of doing so in a way that is both meaningful and defensible in light of the Schrems II case. This remains a huge challenge for businesses and it’s a challenge that the ICO and supervisory authorities across Europe have also had to face. Following its consultation exercise, the ICO is in the process of finalising its transfer risk assessment tool and guidance – you may have seen this previewed at DPPC 2022. Once published, these documents will enable organisations to take a more proportionate and risk-based approach to these assessments, in line with the requirements contemplated by the draft reforms.
Whilst the coming months and years promise further change at the ICO, the secondment programme is here to stay. The next cohort of legal secondees start work on 5 September and for those interested in the programme please keep an eye out on the ICO website for future secondment opportunities.
Meanwhile, the Data Protection team at A&O will continue to monitor the progress of the Data Protection and Digital Information Bill and provide further analysis on the implications in podcasts and blogs as the situation develops.
This content was originally published here.