ICO’s 2025 Strategic Plan
“Empowering you through information.”
These four words are meant to sum-up the ICO’s 2025 strategic plan. The words apply to both businesses and the public as there are two clear strands of the 2025 plan. The first strand focuses on the public; the ICO wants to improve their knowledge of their information rights, access to services through improved diversity and inclusion, as well as resolve issues brought to the ICO more quickly. To achieve these goals, they have set the following KPIs:
assess and respond to 80% of data protection complaints within 90 days;
assess and respond to 90% of data protection complaints within six months;
ensure that less than 1% of our data protection complaints caseload are over 12 months old;
no complaint cases referred to the Parliamentary and Health Service Ombudsman (PHSO) about the ICO upheld;
investigate and respond to 90% of service complaints within 30 calendar days;
conclude 95% of all formal investigations within 12 months of them starting;
respond to 100% of all information access requests within statutory timescales; and
achieve a customer satisfaction index (CSI) score of 74.
The overarching objective from a business perspective is to reduce costs to businesses and give them confidence to invest and innovate whilst using information responsibly. Again, they have set fairly detailed KPIs to measure success against this goal:
resolve 80% of written enquiries within seven calendar days;
resolve 99% of written enquiries within 30 calendar days;
answer 80% of calls and live chats within 60 seconds;
refer or close 80% of personal data breach reports within 30 days;
ensure that less than 1% of personal data breach reports are over 12 months old;
ensure 90% of our audit recommendations are accepted in full or in part;
ensure 80% of accepted audit recommendations, in full or in part, are completed or being actioned within agreed timescales; and
respond to 100% of prior consultation submissions within statutory timeframes.
The key provision from a data controller/processor point of view is the promise to increase regulatory certainty and to achieve this they promise to understand the issues faced by businesses, empathise, and provide tailored advice. As a result, firms should be more aware of the reasons regulatory action could be taken and be able to progress with confidence. A particularly interesting statement for our readers was that the ICO will not take action where firms share data in order to protect vulnerable customers.
It is difficult, though, to see where businesses will feel the cost benefit when you review the ICO’s work-streams for the next 12 months. First up is the creation of an online tool to help data subjects raise a DSAR. Whilst this is clearly designed with their goal of ensuring customers are aware of their data rights in mind, it will clearly increase costs to businesses.
On the other hand, the ICO have or will launch a number of initiatives to help reduce the burden on firms, these include:
Free training material to be published online
A better pack of guidance documents online including a database of ‘one-off’ publications such as specific guidance documents together with the development of a ‘guidance pipeline’ to provide clarity and certainty, including sector specific guidance.
A range of off-the-shelf templates
A new forum to discuss data protection questions and points
Continue to support innovators through their regulatory sandbox
A range of ‘data essentials’ materials aimed at SMEs.
Their 2025 plan then highlights their key concerns in relation to data. This includes the use of AI and other technologies making automated decisions about individuals which could result in discrimination or poorer opportunities for diverse data subjects. For example, AI is being used to review job applications and CVs, in theory the ICO have no issue with this as long as the algorithm design doesn’t result in discrimination or a lack of equal opportunities.
Furthermore, a clear ongoing priority is keeping firms accountable in relation to data security, both through the accountability principle and breach reporting. This is aligned with the priorities of the FCA who have raised cyber security as a major threat to the finance industry and placed this at the heart of their operational resilience requirements. With the intensity around data protection increasing, firms are reminded of the importance of staying up to date with regulatory developments, especially around operational resilience. The latest can be found here and we have a range of templates to assist which will help compliance with the ICO’s priorities as well as Operational Resilience.