The Information Commissioner’s Office (ICO) has published its Technology Strategy for 2018 to 2021. The Strategy, part of the ICO’s focus on adapting to rapidly developing technologies, outlines eight “technology goals” and the measures that will be implemented to achieve them.

Technology goals

Broadly, these goals include increased technology training for the ICO’s staff and appointment of staff with technology expertise, greater public and industry engagement in terms of the data protection risks posed by technology, and engagement with other regulators internationally. It is apparent from the Strategy that the ICO is placing greater emphasis on adapting to the ever-changing technological environment, through increased engagement and enhancement of its technical expertise and technical solutions.

The ICO also commits to publishing further guidance and reports on the use of data protection design by default. This guidance will be “technically feasible and proportionate” and will likely include analysis of the data protection implications of emerging technologies, such as artificial intelligence (AI) and machine learning.

The ICO also plans to further engage with industry groups and stakeholders by establishing a  “regulatory sandbox” (drawing on the successful sandbox developed by the FCA), with the ambition of fostering a secure environment in which organisations can develop innovative digital products and services.

As part of the ICO’s focus on international engagement, it will also form closer relationships with organisations that are important influencers in developing global technology standards with regards to global privacy risks arising from the application of emerging technologies.

2018–2019 priority areas

The ICO has identified three priority areas that it will focus on in 2018 to 2019; (i) cybersecurity, (ii) AI, big data and machine learning, and (iii) web and cross device tracking. The ICO will likely deploy the majority of its resources to these key areas, with an initial focus on AI, given the ability for AI to impact on private life and shape human behaviours through the manipulation of high volumes of personal data.


The Strategy will extend to 2021 and will be updated annually to reflect the fast-paced developments in technology. It is recommended that companies closely track the development of this Strategy to ensure that they can continue to successfully navigate the more stringent regulatory environment under GDPR. The Strategy’s focus on the principles of data protection design by default is of particular note, and companies should take steps to ensure this principle is embedded into all technology offerings.