International
Strategy
2017-2021
Information Commissioner’s Office


2
Version 1
July 2017


International Strategy 2017-2021
To effectively protect the UK public’s personal information in a digital global
environment, the ICO needs to co-operate and act internationally. This
International Strategy seeks to enhance privacy protection for the UK public.
Recognising that the ICO needs to be agile in an ever-changing world, it will be
regularly reviewed and updated in response to new challenges and opportunities.
This international strategy supports our 2017 Information Rights Strategic Plan.
Part one sets out the main challenges we face and their associated priorities.
Part two covers ICO structure and resourcing, engagement and evaluation.
Part one: Challenges and priorities
Challenge 1: To operate as an effective and influential data
protection authority at European level while the UK remains a
member of the EU and when the UK has left the EU, or during
any transitional period.

As the UK prepares to leave the EU, the formal relationship between the ICO and
EU data protection authorities will change. Our relationship with our EU partners
will remain highly important, including with the European Data Protection Board
(EDPB) which will operate from May 2018 and on which the ICO will remain
active and engaged until the UK’s exit. In overseeing the enforcement of the
General Data Protection Regulation (GDPR) from 2018, and issuing guidance, the
EDPB will be a highly influential global player in setting the direction for data
protection and privacy standards.
The strategy recognises that our direction on many of these challenges will often
be driven by the outcome of the negotiations between the UK and the EU. Our
priorities are designed to be compatible with a range of scenarios and enable the
ICO to respond flexibly to different circumstances.
In 2017, the Secretary of State, Karen Bradley, and the UK Minister responsible
for the digital economy, Matthew Hancock, made several statements to
Parliament declaring the UK Government’s commitment to comprehensively


3
Version 1
July 2017
implementing GDPR, as planned, in 2018. The June 2017 Queen’s Speech
included a commitment to introduce a Data Protection Bill:
“To implement the General Data Protection Regulation and
the new Directive which applies to law enforcement data
processing, meeting our obligations while we remain an EU
member state and helping to put the UK in the best position
to maintain our ability to share data with other EU member
states and internationally after we leave the EU.”
Our strategy presumes that GDPR will also be assumed into UK law before exit
to ensure there is continuity and certainty about UK law afterwards.
The ICO recognises the importance of the UK retaining a high standard of data
protection and data protection as a fundamental right. Our strategy recognises
the possible role of EU laws and the Council of Europe in this after Brexit,
directly or indirectly.
Challenge 1: priorities

To meet this first challenge we have identified three priorities in order to
implement GDPR and to ensure we can collaborate with European Data
Protection Authorities.
1.1 Expert advice to the UK government
We will provide expert advice to the UK Government on the data
protection implications of leaving the EU, in particular about the ICO’s
relationship with the EDPB.
1.2 Strong engagement with the Article 29 Working Party and EDPB
 We will continue to work as a full member of the Article 29 Working Party
which consists of the independent data protection authorities of member
states of the EU - and as part of the EDPB from 2018, until the UK exits
the EU.
 Recognising that our role may be in shaped by the Brexit negotiations, we
will seek to maintain a strong working relationship with the EDPB when
the UK exits the EU. We will also seek to strengthen bilateral relationships
with individual EU data protection authorities where appropriate.




4
Version 1
July 2017
1.3 Wider European engagement
 In addition to the Article 29 Working Party and the EDPB, We will continue
to engage with other European groups of data protection authorities.
 We will seek to engage with the Council of Europe, to explore the role of
Convention 108 as a data protection standard.
 We will seek to engage with specialist EU working groups that consider
data protection related to law-enforcement data sharing, recognising that
our role will be shaped by the Brexit negotiations.
 Where relevant and appropriate, we will maintain an active dialogue with
Members of the European Parliament.
Challenge 2: Maximising the ICO’s relevance and delivery
against its objectives in an increasingly globalised world with
rapid growth of online technologies.

In the last 20 years the ICO has built a reputation as an influential and
respected data protection authority internationally. Information rights regulation,
and in particular data protection regulation, has an increasingly international
dimension. Effective protection of the UK public's personal information becomes
increasingly complex and less visible as data flows across borders so the UK
needs a regulator with greater global reach and influence. Our approach will also
recognise the economic and social benefits to the UK of having influence in a
globally connected world and digital economy.
Challenge 2: priorities

To meet this second challenge we have identified the following priorities:
2.1 Global relationships
 We will continue to engage with leading international privacy networks
and explore relationships with networks where we have not engaged
previously, for example in the Asia Pacific region.
 We will continue to develop stronger links with data protection authorities
in Commonwealth countries via our leadership of the Common Thread
Network. This will support and build capacity with other data protection
authorities, increasing opportunities for international collaboration,
particularly with emerging or fast-developing economies.


5
Version 1
July 2017
 Where opportunities exist to develop new networks that will meet our
strategic priorities, and not duplicate other networks, we will take the
initiative to lead their development.
 We will prioritise international engagement on issues related to global
privacy risks arising from the application of new technologies.
2.2 Enforcement
 We will continue to play a leading role in joined up, efficient and effective
international enforcement co-operation mechanisms that can lead to
better enforcement of data protection compliance in the UK.
 We will invest in bi-lateral relationships, including enforcement co-
operation, with the most strategically important economies and data
protection/privacy authorities globally.
2.3 Knowledge exchange, guidance and standards
 We will explore new links with international bodies and regulatory
networks that do not focus on data protection but have an important
influence on developing global standards that affect data protection.
To promote knowledge exchange in priority areas, we will seek to develop
new relationships with think tanks, academic and civil society networks.
The ICO’s new Grants Programme, launched in 2017, will be open to such
bodies.
2.4 Freedom of Information
 We will share information and knowledge with other independent bodies
responsible for enforcing and promoting freedom of information laws. We
will support work to identify common standards for freedom of information
laws and progressive transparency.
 We will support work to develop a regular European Information
Commissioners’ conference and collaborate on projects of common
interest, such as the transparency of outsourced public services.
Challenge 3: Ensuring that UK data protection law and practice
is a benchmark for high global standards.

The ICO has benefited from its status as a European Data Protection Authority
and a data protection regulator with over 30 years’ experience. It is vital that
the UK retains a high standard of data protection law to provide effective
safeguards for the public in practice. To enable the ICO to be recognised as a


6
Version 1
July 2017
leading regulatory partner, and to enable international data flows, UK data
protection needs to continue to be recognised as a globally leading standard.
Internationally, data protection and privacy laws are converging and the UK
needs to keep pace with these developments.
Challenge 3: priorities

To meet this challenge we have identified the following priorities:
3.1 Collaborate
 We will collaborate with the international business community and other
stakeholders to support work to turn the GDPR’s accountability principles
into a robust but flexible global solution.
 We will continue to take part in international work to promote global data
protection standards and the long-term aim of a global data protection
and privacy agreement or treaty.
Challenge 4: Addressing the uncertainty of the legal
protections for international data flows to and from the EU,
and beyond, including adequacy.

Global data flows are central to the digital economy. Ensuring there are effective
safeguards for data transferred internationally continues to be important in
effective data protection.
Challenge 4: priorities

To meet this challenge we have identified the following priority:
4.1 Protecting personal data flows
 We will provide expert advice to the UK Government and Parliament on
international data flows.
 We will seek to explore the concept of the UK as a ‘global data protection
gateway’ – a country with a high standard of data protection law which is
effectively interoperable with different legal systems that protect
international flows of personal data.
 We will work to ensure that personal data transferred from the UK to third
countries continues to be adequately protected.


7
Version 1
July 2017
 We will support work to develop new mechanisms to enable international
transfers, such as codes of conduct and certification under the GDPR.
 We will support the development of mechanisms to support better
interoperability between the UK’s data protection laws and other systems
such as the APEC Cross Border Privacy Rules (CBPR).
Part two – ICO structure and resourcing,
engagement and evaluation
1. ICO structure
1.1 We will establish a new International Strategy and Intelligence
Department, creating an ICO department with international activity as
its core focus for the first time.
1.2 We will add new resources to our international team to support the
delivery of the strategy.
1.3 We will explore the possibility of further staff exchanges and
secondments with other data protection authorities and relevant
international organisations.
1.4 We will embed stronger links with international work in relevant ICO
projects and cross-office working.
2. Engagement
2.1 As well as meetings that cover our essential international obligations
we will seek to prioritise attendance at meetings and events that meet
this strategy’s objectives.
2.2 We will bid to host the International Conference of Data Protection and
Privacy Commissioners, promoting the potential of the UK as a global
data protection gateway, with a high standard of data protection law
and practice.
2.3
Jointly with the Scottish Information Commissioner, we will host the
2017 International Conference of Information Commissioners in
Manchester (focused on Freedom of Information).
2.4 We will host the 2017 European data protection case handling
workshop and Global Privacy Enforcement Network (GPEN)
practitioners’ workshop.


8
Version 1
July 2017
2.5 We will seek to agree revised or new agreements with key data
protection and privacy enforcement authorities globally. This will
enhance reciprocal enforcement capabilities and information exchange
2.6 We will seek to promote ICO guidance to global audiences, and seek
their feedback, particularly in areas related to technology and
accountability.
2.7 We will develop and maintain a new international stakeholder mapping
to guide how we prioritise our work.
3. Measurement and evaluation
3.1 We will develop a reporting mechanism that evaluates the value of our
international activities and links to relevant departmental business
plans.
3.2 We will also include a dedicated section in the Information
Commissioner’s annual report reporting against this International
Strategy.