Why Fintechs should welcome a pragmatic approach to privacy
Karima Noren, former Head of Legal for Emerging Markets at Google and co-founder of the Privacy Compliance Hub, was invited to attend the launch of the Information Commissioner Office’s new ICO25 strategy last week. Here Karima shares her views on how a more pragmatic approach to data regulation could help fast-growing FinTech businesses — and their customers.
You may have missed the Information Commissioner’s big new announcement last week. I don’t blame you if so — a record-breaking heatwave, rampant inflation and the hunt for a Prime Minister certainly provided stiff competition for column inches.
But while the launch of the ICO’s new vision fell below the radar of most Fleet Street hacks, it did contain plenty of food for thought for the FinTech sector. The good news is… it’s mainly good news. Sector-specific support plans to save businesses money, a pledge to make compliance simpler to achieve, plus the launch of innovation aids were all among the announcements made at Woburn House. And while the hand-picked audience of 100+ may have contained some sceptics, I was quietly impressed with the way the regulator plans to tailor its approach to provide protection and certainty to both people and businesses.
Here are some of key takeaways about ICO25:
Balancing idealism with pragmatism
While the draft ICO25 strategy unveiled many laudable aims, perhaps the most striking thing about Commissioner John Edwards’ speech was the acknowledgment of the ICO’s limited capacity. Edwards suggested it needs to focus its efforts, rather than trying to do everything for everyone all at the same time. He acknowledged the presence of “trade-offs” and the danger of the ICO “spreading itself too thinly across the whole economy”. He suggested his organisation will now target its resources where they have the greatest effect, which to me sounded like a mature and pragmatic approach to what the ICO should, and crucially, shouldn’t be doing.
Personal and corporate empowerment
The three-year ICO25 strategy is underpinned by a clear statement of intent: “I want – we all want – a regulator who empowers.” Mr Edwards outlined how he’d like the ICO to “empower organisations to use information responsibly and confidently to invest and innovate,” and added: “Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law.” Throughout there was an understanding that the ICO should be helping businesses to innovate responsibly — including via new bespoke iAdvice that will help organisations go to market with the certainty that they will not be in breach of any privacy laws. There is a trade off of course. If the ICO simplifies compliance by providing certainty, there are no excuses for those who fail to comply. Mr Edwards certainly had a message for those who “choose not to play by the rules … you will find yourselves on the receiving end of our most punitive regulatory tools”.
Growth and innovation
It was also refreshing to hear how the regulator plans to aid ‘sustainable economic growth’ through information, alongside its role in keeping everyone in line. Mr Edwards vowed: “We will empower your organisation to confidently invest in responsible information use,” and: “You’ll see us support responsible innovation, bring down the cost of compliance, engage with organisations and share our knowledge and insight more.” The strategy document zeroed in further, talking about how the ICO would be “focusing our efforts on those at the cutting edge of innovation or legitimately without in-house support, such as SMEs”, which sounds ideal for the FinTech scale-up sector. Crucially he promised the ICO would help reduce the cost of compliance. “I’ve challenged the team to save businesses at least £100 million across the next three years,” he said.
Another piece that resonated with me was the willingness to make the ICO itself more open, transparent and accountable. ICO25 includes a detailed game plan for achieving its aims, but also crucially SMART goals and clear KPIs against which the ICO’s performance can be judged. These include ensuring the ICO helps to build customer confidence in how information is looked after, and that it helps to grow global trade, supports business growth, and “reduces burdens on business”.
It was great to see a growth-focused, grown-up approach to ensuring better information practices. But I would have liked to see more emphasis on involving the entire privacy ecosystem, including consultants, suppliers, and experts. The ICO acknowledged that its resources are scarce and need to be deployed where they’re most needed. It knows that it would be wise to partner itself with organisations like the Privacy Compliance Hub that have the same vision. We can – and must – all play our part in fixing the privacy crisis by providing businesses with practical tools and guidance to nurture a culture of continuous compliance. In the fast-moving FinTech industry, where innovation and trust underpin success, this is surely the only way forward.