Elizabeth Denham's keynote speech, screened at the Direct Marketing Association's Data Protection 2018 event on Friday 23 February in London
I hope you’re all enjoying the conference. It’s certainly good to be back again – even if it is only virtually!
I am currently in Wilmslow with my team preparing for an unexpected parliamentary appearance. It is complex and important and I need to give it my full attention.
But I am with you in spirit.
It’s the third year the ICO has spoken at this event. I rather feel we have become a fixture.
When I addressed you last year, I spoke of the many changes that had happened since Christopher Graham, my predecessor, spoke to you the year before that.
So now I find myself looking back again – what’s changed since I was last here? There are still challenges, yes, but even as 25 May gallops towards us, I sense a more settled mood.
I think that’s because the changes in the last year have been significant.
Organisations – your organisations – are well underway with GDPR preparations and the new law should now seem less daunting.
Some organisations are beginning to embrace the GDPR. Seeing it for the opportunities it presents rather than the perceived barriers it throws up.
Our “I love GDPR” campaign that we ran on Valentine’s Day to mark 100 days until the GDPR demonstrated that data protection reforms are now being supported where once they were resisted.
Resources for organisations
We have played our part. My series of myth-busting blogs set the record straight on issues such as consent and fines. We published our Guide to the GDPR to start building up a library of guidance that is authoritative, accurate and accessible.
That guidance is coming out thick and fast.
And we’ve of course recognised that organisations with 250 staff or less face particular problems in understanding their obligations under the new law.
Targeted resources, including sector-specific FAQs and a dedicated helpline are our answer to that call. Fifteen hundred calls, to be exact. Every week. And rising.
We will continue to help. We will soon publish an overview – a roadmap - of the Data Protection Bill in response to feedback that it was complex and confusing.
And next month we’ll be publishing tools aimed at micro businesses – organisations employing less than ten people – who we know are feeling overwhelmed by the task in front of them.
What will be of most interest to you in this room is our work with the DMA to help produce a Direct Marketing Guide. We have provided input and feedback into sections on accountability and essentials of the GDPR and will continue to work with them. And, of course, our own Direct Marketing Code of Practice is still in the pipeline.
Change is inevitable
Change is coming. It is inevitable. Progress, however, is optional.
So, I’m looking around the room and wondering where you’re at. This time last year – whether you were in this room, following the conference on Twitter or just getting on with your day job – do you feel you’ve moved on? Has your mindset shifted?
We at the ICO have certainly changed. And we’re progressing.
My office is working in a new age of data protection. This government and others around the world fully recognise that personal data is the fuel that powers so much of what makes our economy, our home life, our public services function.
The UK is already a leader in this space – it’s one of the things that attracted me to this job – and this year the government made crystal clear its intention that we retain our world-class status and that the UK is the safest place to be online.
I speak in the main about the GDPR. But that’s just part of the picture. The Data Protection Bill brings the GDPR into UK law and tackles some of the details over which we have discretion. And Brexit, of course. My office is fully engaged with government and others about proper protection for consumers, certainty for businesses and strong, independent oversight of the law.
And that’s not all. You have to add in the law enforcement directive, which sets out how we’ll tackle crime across borders and the NIS directive, which sets out reporting rules for organisations that suffer a cyber attack.
And, of course, the one you’ll all be waiting for, the e-privacy regulation which sets out rules for direct marketing via phone, text and email.
Detail of the e-privacy regulation is still being debated, but a default for all consumer marketing to be opt-in is in the current draft.
Until the e-privacy regulation comes into force, PECR will sit along side the GDPR.
That means electronic marketing will require consent. Yes, there is potential to use legitmate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it.
It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent.
You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them. You will have complete confidence that your customers have given informed consent.
In total, my office regulates around a dozen pieces of legislation. That’s all quite a challenge for the regulator. A challenge I accept.
I am strengthening my team in both number and expertise and we’re moving the ICO to a place where we can deliver our new responsibilities and obligations to organisations and, most importantly the public. More of that later.
Last month the Treasury provided my office with pay flexibility for the next three years. This is an essential upgrade which should allow us to attract and retain the brightest and the best. It will enable me to retain expert staff and attract new technologists, lawyers and auditors.
And we have launched an active secondment programme which has brought an influx of new talent into my office often paid by sponsoring organisations.
We are getting busier and the momentum is quickening. We’re expecting more of everything. More complaints as people become better informed of their rights, more breach reports because the law requires it in high risk cases and greater engagement as organisations turn to us for advice.
Regulatory Action Policy
You will know by now that, while I am never afraid to use the stick in the cupboard, I prefer the carrot.
Education, engagement, encouragement, – they all come before enforcement.
I have said many times that we are a pragmatic regulator and that hefty fines will be reserved for those who wilfully or persistently flout the law.
This is a good time to walk you through the principles of our new regulatory action policy.
The policy sets out how we envisage discharging our regulatory powers as the range and strength of those powers escalates.
We’ll be presenting it in full at our annual Data Protection Practitioners Conference on 9 April.
But I can let you have a few headlines now.
Our policy emphasises, of course, the ICO’s commitment to lead implementation and oversight of the GDPR and other data protection reforms. It sets out our commitment to exploring innovative and technologically agile ways of protecting privacy, strengthening transparency and accountability and protecting the public in a digital world.
It sets out our approach to help create a regulatory environment where data subjects are protected and businesses are able to operate and innovate efficiently in a digital age. These two must go hand in hand –privacy and innovation.
Support, education and guidance is at the heart of our regulation, but it is backed up by tough action where obligations are not met or ignored.
We will consider each case on its own merits, as you would expect, but generally, the more serious, high-impact, deliberate, wilful or repeated breaches can expect the most robust response.
We will also reserve our strongest sanctions for breaches involving novel, technological approaches that present a high degree of intrusion into people’s privacy.
There is an international element, of course – data knows no borders - and liaising with other data protection regulators around the world and sharing information to help investigations is key.
And we’ll continue to work with other regulators and agencies – the National Cyber Security Centre, The National Crime Agency, sector and consumer regulators to name a few.
This is our policy, but it is not set in stone. We will continue to work with others and keep it under review to ensure its continued effectiveness.
Relationship with the DMA
Enough about us. What about you?
Well, I know more about you than you may think. The ICO has forged a strong relationship with the DMA and it has brought your concerns and comments direct to my door.
The DMA plays an important role in driving good practice with marketers – it is influential and well-connected.
In the last year I have met with Mark Runucus board chair, but also had several productive meetings with Chris Combemale and John Mitchison.
Many of you will have engaged with my staff individually or through forums like the British Retail Consortium or the Internet Advertising Bureau.
Our links to you through the DMA give me a special insight into what keeps you awake at night. Consent vs legitimate interest as I’ve already mentioned, legacy data, profiling. And into what you are prioritising. Updating your privacy policies, getting breach reporting in place.
It heartens me that the data protection reforms are on your mind. Because that means you care.
Caring about the public
Maybe you care about complying with the law. But I hope – I believe – you also care about the public. About treating your customers fairly, being transparent and, ultimately earning their trust and confidence.
Because the way personal data can be used to improve, ease and enrich our lives is a wonder.
Data is vital in the modern world. It matters to organisations and it should matter to the people that own it. And that’s not you, by the way. Or anyone else. Personal data is just that – personal.
The new individuals’ rights set out in the GDPR reflect that truth. And my own priorities as set out in my Information Rights Strategic Plan reflect that too. Goal 1 – increase public trust and confidence in the way personal data is handled.
That’s why people are at the heart of everything that we do. I know they are at the heart of what you do too.
The GDPR gives people new rights. In total, there are eight individual rights and, together, they give people choices about how their data is used, shared and stored.
But if people don’t know they have these rights, how will they exercise them? And if they remain uninformed, will companies play fast and loose with the law, knowing they are unlikely to be tested?
Like us, I suspect other EU regulators are concentrating on ensuring organisations are prepared but the ICO has not forgotten the public.
If you consider that each person has a data relationship with around 100 organisations, you can imagine the sheer volume of educational material that they could be drowning under.
And those businesses and organisations are duplicating effort because they are tackling the same issues of awareness and understanding.
There is an alternative. And that’s for UK organisations, public and private alike, to take a collaborative approach and work together with the ICO to develop baseline educational messages about data protection reform for UK citizens. Messages that will help raise awareness but also increase trust in a data driven world.
And we have done just that.
Public information campaign
In October last year I wrote to a number of organisations to invite participation and support in taking a collaborative approach. I am delighted to report that the response was extremely positive and work has been progressing at pace with true cross sector participation to get messages and materials prepared that you can refer to or use directly in your own communication activities.
Rachel Aldighieri, Managing Director here at the DMA, and Fedelma Good from PwC are keenly involved in this initiative and they will join Rob Parker, my head of communications on a panel later this morning to explain in more detail. I hope you will be inspired to jump on the bandwagon.
So I’ve spoken a lot about change. Progress. Growth. How we all need to do things differently to meet the requirements of data protection reforms. But that you have to take the people with you.
This is change. This is change for the good.