Elizabeth Denham's speech at the National Cyber Security Centre's CYBERUK 2018 event, Manchester Central, 12 April 2018.
If I seem a little comfortable in this spot, it’s perhaps because only three days ago I was right here welcoming people to our 2018 data protection practitioner conference.
Why we are here
Data security and data privacy have always been linked. Privacy depends on security.
All modern data protection principles include an obligation to protect personal data. And security has been recognised in every significant codification of data protection, including the current Data Protection Act and the upcoming EU General Data Protection Regulation.
But the pace and scale of the UK digital economy, combined with the new legislation, is reshaping the digital landscape in which my office operates. Over the past year, my office has increased its focus on cyber security, to the extent that we now view it as the spine running through all of our work.
So before I talk about the cyber security community – the focus of today’s conference - I want to share my thoughts about the current data protection landscape, as it relates to everything cyber.
Data protection and cyber security
I hope I am not being optimistic when I say that everyone in this room is aware of the seismic changes taking place in the realm of data protection at the moment.
Of course, there is the GDPR, coming in just a few weeks, and the Data Protection Bill that sits alongside the GDPR and tackles some of the details over which the UK has discretion. Add to that the law enforcement directive, which applies to police and other competent authorities about how we’ll tackle crime, the revised e-privacy regulation, which sets out rules for electronic direct marketing and, of course the NIS directive under which the ICO is the competent authority for the UK for digital service providers. That’s quite a list.
The new data protection reforms can be summarised in three main areas - transparency, control and accountability.
The law requires you to be transparent and tell people what you will do with their data.
You then have to stick to what you said.
This is the strengthened part of the law: you should be prepared to account to your customers and the regulator for what you have done.
The new legislation also makes “data protection by design” a legal requirement, as well as the use of data protection impact assessments.
The ICO has promoted privacy by design for years, and there’s plenty of guidance on our website. But in this context it means building data privacy and security into every part of your information processing, from the hardware and software to the procedures, guidelines, standards, and policies that your organisation has or should have.
And remember: security is a boardroom-level issue. We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings.
If left solely to the technology teams, security will fail through lack of attention and investment. These companies may have the best policies in the world – but if those policies are not enforced, and personal data sits on unpatched systems with unmanaged levels of employee access, then a breach is just waiting to happen
We understand that there will be attempts to breach your systems. We fully accept that cyberattacks are a criminal act.
But we also believe you need to take steps to protect yourself against the criminals. The malicious kid in his bedroom who hacks into your system just because he or she can. Or the opportunist thief who understands the value of the data you hold and knows how to get their hands on it.
Had Talk Talk and Carphone Warehouse implemented rudimentary protections attackers would not have gained access to their systems. If NHS systems had been patched and up to date, they would have been protected from WannaCry.
Don’t just shut the door. Lock it. Then check the locks. And be mindful about who you allow to have a key.
My Deputy Commissioner for Operations James Dipple-Johnstone addressed this conference yesterday with more practical details.
Building a community - or communities
But today’s conference is called “building the cyber security community”.
So I would like to discuss that, with one caveat: where you say community, I say communities.
We play an active role in building and maintaining four equally important communities of practice and interest.
And I am going to talk about each of them in turn.
The international community - how we work with other countries
Cyber threats can come from anywhere in the world, and we work hard to enhance privacy protection for the UK public, no matter where the source of those threats.
In the European Union, we co-operate across all areas, including activities related to the internal market; justice, freedom and security; and police and judicial co-operation.
The ICO is part of the EU’s Article 29 Working Party on data protection matters, and we supervise and support data protection in a variety of contexts, including law enforcement, customs and immigration.
And whilst the final legal relationship between the EU and the UK is one for the politicians, there is no doubt that achieving a treaty arrangement or an adequacy decision with the EU represents the simplest way of ensuring the continued frictionless flow of data between the EU and the UK.
And there is equally no doubt that having domestic laws that achieve a high standard of data protection and are broadly consistent with EU ones will be a significant advantage.
We also build and maintain networks and partnerships around the world, from multinational action groups (such as UCENet – 27 countries working together to tackle unsolicited marketing messages) to regular information exchanges and joint research.
The UK protective community - how we work with other regulators and official bodies
Taking a step closer to home: as I said before, we have a role to play in the Government’s commitment to making the UK as the safest place to be online.
But there is no sole authority for cyber issues in the UK. As the UK’s independent data protection regulator, we work alongside the National Cyber Security Centre, the NCA’s Cyber Crime Centre, DCMS, Action Fraud and other agencies as and when appropriate.
Of course, to be effective we need to coalesce and form agile, multi-disciplinary partnerships. Which is why we are developing co-working practices and, where appropriate, memoranda of understanding with these organisations.
We are aligning our playbooks and testing them through the national exercises. We are co-ordinating our communications, guidance and incident responses with them, so that we can respond to large-scale data breaches appropriately.
For example, the NCSC co-ordinated the national response to the Equifax breach, and the ICO was involved as the regulator. But for Uber we lead the co-ordination and the NCSC acted as technical advisor.
And of course, anyone who heard James Dipple-Johnstone’s speech here yesterday knows that we set out the GDPR security outcomes from the cyber incentives review with NCSC and DCMS.
Government and regulatory bodies are working together in a way which, I believe, is unmatched anywhere in the world.
We believe this partnership, bringing cyber-security agencies and those who uphold information rights, serves the public.
The UK business community - how we work with you
Coming even closer to home, I now want to talk about how we work with you: the businesses and organisations of the UK.
We want to empower you to take ownership in finding the right approach and the right balance between cyber and data rights. We want to recognise these who have significantly influenced their organisation, culturally and practically.
At our conference this week it was my great honour to award our first ever ICO practitioner award for excellence in data protection.
The award recognises the increasingly vital role played by professionals working in the sector, and the winner was Esther Watt, Data Protection Officer (DPO) at North Kesteven Council in Lincolnshire, who was chosen by an independent panel of five judges from more than 100 nominations.
As I’ve already said, the government is committed to making the UK the safest place to be online.
But keeping individuals safe online shouldn’t invoke panic in terms of your obligations. I have spent a lot of the last year busting some data protection myths, and reassuring organisations that our approach as a regulator is not to fetter innovation, whilst making sure it’s still hard for criminals and chancers to thrive online.
My office appreciates the challenges you are working under today because we face the same challenges.
Budgets are tight, technology is moving fast and there’s a race to keep up with competitors. But data protection law needn’t be onerous if you adopt privacy by design and sound cyber security at the outset of your projects.
One of the myths I have worked hardest to dispel is around data breach reporting under the GDPR.
You probably know this by now, but it’s always worth repeating: you will NOT need to report every single personal data breach to the ICO.
But you will have to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. And you must do that within 72 hours of discovering it.
You should all by now be developing a sense of what constitutes a serious incident in the context of your data and your own customers. You also need to consider whether a breach triggers notice, not just to the ICO, but to affected individuals as well.
We have taken steps to make reporting a breach simple, effective and efficient. Call our breach reporting line and you’ll get a human response – and our focus will be on working with you, and bringing in whoever else we need to involve, to help you make the right decisions in those crucial first few days.
Tell it all, tell it fast, and tell the truth. Work with us and you will find the ICO to be a proactive and reasonable regulator.
As a proactive regulator, we recognise that innovation is essential in the digital economy. We are establishing a ‘regulatory sandbox’, for you to develop innovative digital products and services, whilst engaging with us to make sure the right safeguards are in place.
As part of the sandbox process we will advise you on mitigating risks and data protection by design. The sandbox is in the development stages to be launched in 2019.
Our internal community - and yours
And finally there’s an often overlooked, but utterly essential community: our own people.
As a modern regulator in a technological environment it is our duty to continually invest in our technology and staff. You have a right to expect us to stay relevant in the context of a dynamic digital world.
We agree: which is why upskilling our staff is now a core component of the ICO’s strategic goals. Through our information rights strategy and our new technology strategy, we are aiming to build a new cohort of in-house experts, by:
- Developing new technology training programmes for our staff.
- Introducing an ICO apprenticeship scheme, focussing on cyber security.
- Expanding our in-house laboratory.
- And as I have a captive audience I want to push this one: running a secondment scheme, offering your colleagues the chance to learn valuable new skills and to experience life in a different context. More on that on our website.
Digital economy is the fastest growing area of the UK economy. But, whilst new technologies bring new opportunities, it’s the people designing, creating and managing them that count.
Low-tech breaches are frustratingly common in our enforcement work. So many of the breaches we investigate are down to human error.
And it’s here that building your internal community can really pay off.
Your data protection officer, your chief technology officer, and your chief information security officers should never be strangers. They may not be BFFs but they need to get along and respect one another’s briefs. Cyber-security is a team sport. Your board should approach every decision with an awareness of its impact on the security of your technology and information assets.
And if you build internal coalitions with privacy and security at their heart, then you will have taken an enormous step towards being the trusted leaders of the future.
Regardless of our focus today, let’s remember why we’re doing this – people. Increasing the public’s trust and confidence in the way their data is handled.
This is a priority for me and my office I hope – I know – this is a priority for you.
The revelations of recent weeks involving Facebook and Cambridge Analytica and others have been a wake-up call. People care about what happens to their data.
Defending their information from attack is your battle – it must be one you are prepared to fight.