The UK’s data watchdog has vowed to shift away from simply hitting companies with big fines for breaching data privacy rules and instead will look to adopt a more preventative approach.
John Edwards, head of the Information Commissioners’ Office, said today that he will focus on preventing data breaches from happening in the first place by making the UK’s privacy laws clearer.
The New Zealander, who started his five-year stint as the UK’s Information Commissioner in January 2022, vowed to stop the “money-go-round” by turning away from simply fining companies.
Edwards said he will not seek to match EU regulators in racking up a “stack of fines” as he advocated for taking a “bold” approach to regulation.
“It’s less spectacular but more effective to prevent those harms at the start than it is to go around and beat people up afterwards and fine them into insolvency,” Edwards said.
Speaking at law firm CMS’ London headquarters, Edwards set out plans to provide clear guidance on the UK’s data laws, as he warned that uncertainty has an “enormous cost on the economy”.
Edwards pledged to shift the ICO’s focus away from simply imposing financial penalties on businesses as he set out plans to transform the watchdog into the “effective, modern, empowering regulator we want it to be”.
The ICO chief noted that investigations into data breaches are currently a “really significant investment” for the UK’s privacy regulator.
He warned that focusing on punishing breaches rather than preventing them from happening is a “really inefficient way of regulating.”
Edwards noted that lawyers have profited on the lack of clarity around the UK’s data laws as he suggested the “uncertainty… plays to [law firms] advantage”.
However, the regulatory chief told lawyers sitting in the audience: “I’m not going to eat your lunch”.
Instead, Edwards said his goal is to “provide certainty and clarity as to the law”.
The ICO chief’s comments come as the UK pushes forwards with efforts to overhaul its data regime, following Britain’s exit from the European Union.
The UK faces a challenge in striking the balance between diverging from EU rules whilst ensuring it retains its ‘data adequacy’ status.
In setting out a new regulatory regime, Edwards vowed to “work alongside organisations to help them achieve their objectives.”
Edwards, however, sought to assuage concerns that there will be a radical shake-up of data privacy rules.
“I’m not here to be the architect of the deconstruction of the data protection framework,” Edwards said.