The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Original script may differ from delivered version

Rob Luke's speech at ISBA, 8 March 2017

Introduction

Thank you for that thought-provoking address to set the scene. And thank you for giving me the opportunity to talk about the challenges and opportunities that lie ahead for advertising and data protection.

Future Inspiration, Impact Now

As you will hear I think the developments in data protection certainly fit the “impact now” element in your conference strap line. I will do my best to offer some inspiration for the future.

At the outset please let me apologise for not being Elizabeth Denham, our Commissioner.

She was looking forward to joining you this morning but was called at relatively short notice to give evidence before a House of Lords Committee looking at the future of data protection.

I think that tells its own story about the extent to which data protection is rising up the public, political and media agenda. I dare say that heightened profile also explains why you have given me the opportunity to be with you this morning.

The Information Commissioner's Office is the independent UK regulator enforcing the laws that govern privacy. If you’re using personal data, we’re here to help you get it right.

It’s a big job. We took almost 200,000 calls on our helpline last year. And we issued more than £1million of fines to organisations that got it wrong.

I am myself a relative newcomer to the ICO and to data protection. My background is in a different branch of the reputation business: diplomacy.

I spent 16 years as a British diplomat serving overseas in Brasilia, Paris and most recently as High Commissioner to Malta as well as serving in a number of roles at the Foreign & Commonwealth Office in London.

I believe that external perspective leaves me well placed to put myself in the shoes of those sectors and constituencies, like yours, who perhaps see data protection less as an end in itself and more as an important dimension which needs to be factored in to how you do business.

The ICO has made it a clear priority to get out and about more, to reach new audiences and to engage with representative organisations like ISBA who can help us reach a whole sector. If we are talking solely to the information rights community we are not doing our job.

I would like to recognise ISBA’s support in raising the profile of data protection. The ICO and ISBA have worked together on previous events to highlight the sector’s interaction with personal information. I’m sure this constructive relationship will continue.

This partnership approach is essential as we adapt to the rapidly changing landscape in which we are all working.

The challenge for the regulator

Fifteen years ago we – that’s you, the advertisers and me, the ICO – would probably never have met.

You certainly didn’t need to think about data protection law when you bought advertising space during the break in Coronation Street.

I don’t need to tell you that the speed at which technology has changed has been phenomenal. You see it every day when you’re making decisions about your digital campaigns, profiling and marketing spend.

We feel it too. As regulators we have to adapt fast to keep pace with evolving technology. And of course the laws that govern data protection need to evolve too.

Companies today are using data in ways that were unimaginable when the current law - the Data Protection Act - was being drafted.

We’re talking about an era of no Google. No Facebook. Clunky desktop computers with less processing power than we all now have in our pockets.

An era when we all sat down at the same time to watch our favourite TV programmes and by default the adverts in between.

Now new technologies and algorithms are already drilling down to identify your audiences and customers. Programmatic trading can deliver your adverts to those customers more accurately and faster than ever.

The TV in the corner of the living room now collects personal information about the people watching it.

Indeed Vizio, a US company, has had to change the way it deals with privacy and pay a huge fine after it collected data from millions of TVs without the consent of owners.

And media coverage this morning again features the question of whether TVs or other connected devices could be used to eavesdrop or gather information about their users. Any such use would engage data protection and privacy concerns and would require a clear legal basis. We track this issue closely.

A new generation is largely abandoning traditional TV and consuming its content through YouTube and via mobiles and tablets.

If the past is any guide, these new technologies throw up issues which the legislation hasn’t foreseen.

That’s a challenge for us as the regulator, but it’s also a challenge for businesses who want to – and who have to – comply with the law.

As Elizabeth Denham has repeated publicly, we’re all going to have to change how we think about data protection.

New legislation

Not least because the laws are changing. For those of you not already aware, in May 2018 we’ll have new data protection legislation, which will apply both here in the UK and across the EU.

The General Data Protection Regulation – GDPR - builds on the previous legislation: but provides more protections for consumers, and more privacy considerations for organisations. It puts an onus on businesses to change their mindset on data protection.

The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data.

They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it.

And they’ll have the brand new right to data portability: to obtain and port their personal data for their own purposes across different services.

The GDPR will include new obligations for organisations. Businesses will have to report data breaches posing a risk to individuals to us at the ICO, and in some cases to the individuals affected.

The GDPR sets a high standard as it relates to an individual’s consent to the processing of their personal data.

It means giving individuals genuine choice and ongoing control over how you use their data. You will need to think hard about what this means in practice for your consent mechanisms.

You will need clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent.

The changes reflect a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.

Accountability

Arguably the biggest change under GDPR is around accountability.

The new legislation creates an obligation for companies to understand the risks that they create for others, and to mitigate those risks.

It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that mainstreams privacy considerations throughout your organisation.

The GDPR mandates organisations to put in place comprehensive but proportionate governance measures.

Good practice tools that the ICO has championed for a long time - such as privacy impact assessments and ensuring privacy by design - are now legally required in certain circumstances.

This shift in approach is what consumers expect. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way.

Making it matter to the boardroom

Let me be clear: this is an issue for the boardroom. That’s why ISBA asked me to speak to you today and that’s a message I would like you to take back to your own boards tomorrow.

By all means draw attention to the big stick. The GDPR gives regulators greater enforcement powers. If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and their financial bottom line.

For the most serious violations of the law, the ICO will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year. It’s a big stick.

But I think it would be short-sighted to view data protection solely as a risk to be mitigated and the ICO as a regulator not to fall foul of.

Instead I urge you to view data protection as an opportunity to be seized. Seized by companies looking to build a level of trust with their customers that helps deliver competitive advantage.

Get data protection right, and you can see a real business benefit.

Accountability as a business benefit

It’s clear some businesses will thrive in this changing environment. They’ll be the ones that look at this whole issue through the eyes of their customers.

To meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.

Not just because it’s the law, but because it’s part of basic good business practice, like honest pricing or good customer service.

Corporate social responsibility

In my own mind I compare this to the evolution we’ve seen in the Corporate Social Responsibility space.

We’ve moved from a culture where many companies would see a nod to CSR as a nice extra for the annual report. To one where some companies are redesigning their whole supply chains and business practices to ensure the highest standards of sustainability and social responsibility.

And they’re reaping the rewards of that. Building a deeper relationship of trust with customers, and staff, and thriving financially.

I can see data protection transforming business models in the same way.

Having access to people’s personal information means you have to act with great responsibility. The main focus of the GDPR is about one thing above all: giving people control over their own data.

That’s the same message we’re delivering to businesses and organisations across the board.

The subject of data protection, and hence the role of the ICO, is increasingly pertinent to many debates in modern society.

For example, as you may have seen, we are conducting an assessment of the wider data protection risks arising from the use of data analytics, including for political purposes, and will be publicising our findings later in the year.

Conclusion

So in the spirit of offering inspiration for the future: what can you do next?

Well, that depends on your existing level of knowledge and preparedness.

If you’re new to GDPR don’t panic but do focus. The first thing to remember is - if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR.

But there are new responsibilities and additional action you need to take. A good starting point to getting a handle on things is the ICO’s ‘12 steps to take now’ guidance [available through the conference app]

If you already have some knowledge of GDPR and our 12 steps, I encourage you to move on to our ‘Overview of GDPR’ document [again available through the conference app] which explains the similarities to the existing Data Protection Act and describes some of the new and different requirements.

And if you feel like you and your organisation are already well on the way to getting to grips with all this, great. That means you’re well placed to spread the message to others and to give us your expert feedback.

For example a draft of our GDPR consent guidance – our third item on the conference app - is out for consultation now and we’re looking to you to submit your ideas before 31 March.

We are also planning to publish some of our thinking on the GDPR ‘profiling’ provisions and will be asking for feedback. We’ll use the information to help contribute to the guidance produced at EU level by the Article 29 Working Party planned for publication later in 2017.

GDPR has been my focus today but I should flag up one other piece of European legislation which is in the works.

The draft ePrivacy Regulation is still being debated at European level but, for example, a default for all consumer marketing to be opt-in is in the current draft.

The stated intention is for the final law to sit alongside the GDPR so it is another element to track closely and about which we can all expect to hear more soon.

I would like to thank you once again for your warm welcome this morning. Thank you to ISBA for its valuable focus on the rapidly developing area of data protection.

I hope I’ve given a snapshot of some of the issues you as members will want to focus on. I will be around until this afternoon so if you have a burning question please do approach me during one of the breaks.

My closing message is this: in an increasingly digital future misusing personal data will be the quickest and surest way to erode your company’s, and indeed your industry’s relationship of trust with your customers and partners.

Handling personal data right will build and consolidate that trust and for those companies who do it best, it will be a key factor in your success.

Thank you.