Original script may differ from delivered version
Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference on 9 April 2018.
Good morning to you all - eight hundred here in the room and thousands more watching our live stream.
This is our eleventh annual Data Protection Practitioners’ Conference and I want to extend a special thank you to all the organising committee and ICO volunteers that make this event possible.
Robert Parker, head of communications, as well as David Dutton and Rashana Vigerstaff – you have worked your magic again.
We have a great agenda planned – make the most of it and learn as much as you can. From our expert speakers but also from each other. A friend of mine said to me many years ago that an important part of any conference is getting to know people in the same field of endeavour. Sage advice.
So it’s been an eventful few weeks.
You know the saying – may you live in interesting times. That could be a blessing or a curse – wishing that the intended’s life be inflicted with danger and chaos or, as I prefer, opportunity and challenge.
However you choose to look at it, these are, indeed, interesting times. And it’s interesting times that provide impetus for change.
It’s been hard to miss the expose of Cambridge Analytica’s alleged use of personal data in election campaigns including information gathered from Facebook.
It’s worth remembering that this is one part of our larger investigation into the use of personal data analytics for political purposes by political campaigns, parties, social media companies and others.
Our enquiries involve 30 organisations and, as has been reported, we’re investigating Cambridge Analytica, Aggregate IQ and, since February, Facebook when concerns were heightened.
Our investigation will be measured, thorough and independent and only when we reach our conclusions based on the evidence will we decide if enforcement action is warranted.
The investigation is ongoing and it would not be appropriate for me to make further comment, other to acknowledge that I welcome the focus on data rights for citizens and consumers in the centre of public discussion and debate.
One thing is certain. The dramatic revelations of the last few weeks are a game changer in data protection.
Suddenly everyone is paying attention. The media,, the public, parliament, the whole darn planet it seems.
Data in your hands
So let me tell you this as someone who has worked in the field of data protection for over 20 years: there has never been a more important time to be involved in data protection.
The work we do – that you do – to ensure that organisations are fair, transparent and accountable and that they earn the trust and confidence of their customers, clients or citizens is important.
Because – although you wouldn’t know it to pick up a newspaper right now – the proper use of personal data can achieve remarkable things. It can improve, ease and enrich our lives.
The work you do allows that to happen. And it must still happen. Now, more than ever, your role of data protection practitioner is not just as a guardian of privacy but as an ambassador for the appropriate use of personal data in line with the law.
Ultimately it is up to regulators to take action against those that disregard the law. But you all have a role to play in advocating the correct use of personal data in a world where it powers so much of what makes our economy, our home life, and our public services function.
I hope that the speakers you hear today, the sessions you attend and the fellow practitioners you meet will help you do your jobs even better. Your work is important. Your work is interesting!
As if it wasn’t interesting enough with the GDPR a mere 46 days away! 33 working days.
Two years ago, my predecessor Christopher Graham unveiled our “12 steps to take now” graphic designed to help organisations begin their preparations for the GDPR.
That graphic, which we updated last year, remains the most downloaded on our website. But we’ve come a long way since then.
The GDPR is a work in progress for us as I am sure it is for many of you - but we’re making sure we respond to what we hear you need.
That’s why we launched targeted resources for small and medium sized businesses including a dedicated helpline that’s taking two thousand five hundred calls a week.
We’ve provided a whole suite of resources on our website – Our Guide to the GDPR is the place to find guidance that is, as you would expect of the ICO, accurate, authoritative and accessible. It’s been accessed more than 2.5 million times.
You’ll also find interactive toolkits, handy checklists and sector-specific FAQs based on real queries received by our customer contact team.
We’ve also begun a series of podcasts – the first answered some myth-busting blog questions and the latest is on Data Protection Impact Assessments.
All these resources can help you navigate through the new law.
And what of the ICO’s own preparation? As a data controller we must be prepared for the GDPR like anyone else but, for the ICO, 25 May means we must be ready to regulate the GDPR. That’s an additional challenge.
But I believe I am leading an ICO that’s made up of committed people who are equipped to meet those challenges - and the opportunities - that lie ahead.
We’re expecting more of everything. More breach reports because the law requires it in high risk cases. More complaints, because people will be better informed of their rights. Greater engagement as organisations turn to us for advice at the outset.
So I am strengthening my team in both number and expertise and we’re moving the ICO to a place where we can deliver our new responsibilities and obligations to organisations and, most importantly the public.
We are currently recruiting a number of new senior roles to give us the capacity, capability and resilience to tackle our developing regulatory brief.
We’ve welcomed just over 70 staff from a range of diverse backgrounds and experience to work at the ICO in the past 12 months and we have plans for at least another 150 in the next two years. As well as roles in our head office down the road in Wilmslow, Cheshire, there will be opportunities in London, Belfast, Edinburgh and Cardiff too.
To give you an idea of how we’re fixed now, we’ve got around 200 case officers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and engaging with the stakeholders and organisations that need to implement them.
And there’s more.
We’ve launched an active secondment programme which has brought an influx of new talent into the office. And we’ll be kicking off our new Technology Fellowship programme with a two-year post-doctoral appointment to investigate and research the impact of Artificial Intelligence on data privacy.
Our future funding model has also been agreed to by parliament. That takes our current budget of £24 million per year to £34 million in 2018/2019.
I hope you are all aware of your organisation’s legal obligation to pay a fee to the ICO after 25 May unless you are exempt. Details on our website or you can visit my registration team in the Information Market.
Okay, just a quick word about enforcement.
The misinformation about massive fines being an ICO default under the GDPR prompted the first in my series of myth-busting blogs last summer.
As an aside, I hope you’ve found these a useful resource in better understanding the detail of the law and my approach to it. They do appear to have been well received and we will be publishing more.
Anyway, I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.
Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.
It’s not just about fines though, is it? The GDPR has handed the ICO a whole new set of tools to motivate organisations towards compliance. Privacy by default and design, codes of practice, privacy seals, Data Protection Impact Assessments, accountability mechanisms, data protection officers ...all these things – and more – form an integrated package.
All of them are necessary; none of them is sufficient on their own.
And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice.
Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data.
None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.
You know, I can’t mention enforcement without a few of my more favoured e-words. Engagement, education, encouragement to name but a few.
Because I’ve always preferred the carrot to the stick. I don’t want to punish organisations for breaching the law. I want to help stop that happening in the first place.
Deputy Commissioner for Operations, James Dipple- Johnstone, will set out our approach to regulatory action when he presents highlights from our draft policy at the end of the conference. I recommend you stick around to find out more about that.
As you know, I believe the public should be and is at the heart of everything we do.
It’s why we’re conducting our investigation into data analytics for political purposes – because it’s important that the public is fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy. The GDPR has people at its centre too. It gives people new and strengthened rights that together, and gives people choices about how their data is used, shared and stored.
We have, rightly, been concentrating on ensuring organisations are prepared. But we have not forgotten the public!
Today we’re officially launching our public information campaign “Your Data Matters”.
We’ve taken a collaborative approach inviting a range of businesses and organisations – public and private sector – to work with us to develop baseline educational messages about data protection reform for UK citizens. These are messages that will help raise awareness but also, I hope, increase trust in our data driven world.
We’re producing messages and materials – this is our logo and our finger print family who will tell their data stories – that you’ll be able to use directly in your own communications activities.
You can find out more later this morning during a panel presentation here in the auditorium.
So here we are, days away from the first day of a new era for data protection. Does it feel like there’s a light at the end of the tunnel?
We want you to feel prepared, equipped and excited about the GDPR. I know many, many of you do. For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline.
In fact, it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning.
This is a long haul journey. But it’s not a holiday. There’s a lot of work to be done along the way.
I am sure you have bosses that are waiting to pat you on the back, buy you a drink or present you with a bunch of flowers on Friday the 25th. They’ll be pleased that you got them across the line. That you made it and you can all finally relax.
It’s your job to make sure you keep your foot on the gas. Your preparations, your work – your important work – must continue beyond the 25th. Perhaps that’s when the real journey begins.
So buckle up people, it’s going to be an “interesting” ride!