Deputy Commissioner - Operations James Dipple-Johnstone spoke at the DPPC about the ICO’s Regulatory Action Policy.
Original script may differ from delivered version.
Thank you for that introduction. It’s been a full day. I hope everyone has had the chance to drop in to our sessions as well as make the most of the Information Market and these auditorium presentations. I hope the day has been useful for you.
The focus of today has been very much on the future. The GDPR and how you’re working to prepare for it and how we, the ICO, can help you do that.
You all know by now that we operate a carrot and stick approach, as some people describe it. We prefer to describe it as education to enforcement. Guiding and advising organisations on how to meet their legal obligations rather than punishing them when they don’t.
That’s not to say we won’t use the stick when we need to and there’s no denying that the new law gives us a bigger range of sticks to choose from.
Our power to impose fines of up to £17 million or 4% of global turnover is the one that has made the headlines. But there are many tools in our toolbox.
I’m going to give you some headlines from our Regulatory Action Policy, which we’ll be putting out to consultation in the next couple of weeks. It sets out how we plan to discharge our regulatory powers as the range and strength of those powers escalates. After consultation it will be subject to Parliamentary consideration and will then come into effect.
But let me take you back to basics first – to our Information Rights Strategic Plan, which maps out the Information Commissioner’s priorities for the duration of her tenure.
As well as increasing the public’s trust and confidence in how data is used and keeping pace with evolving technology, the Information Rights Strategic Plan also commits us to leading the implementation and effective oversight of the GDPR and other data protection reforms.
It commits us to exploring innovative and technologically agile ways of protecting privacy.
It commits us to strengthening transparency and accountability and promoting good information governance.
And it commits us to protecting the public in a digital world.
We’ve added a new goal to be an effective and knowledgeable regulator for cyber security issues.
Our Regulatory Action Policy sits beneath this over-arching Information Rights Strategy.
The policy is designed to give direction and focus to the organisations we regulate and help us achieve the goals of the Strategic Plan.
It sets out our risk-based approach to taking regulatory action against organisations or individuals that have breached the soon to come 2018 version of the Data Protection Act, the Privacy and Electronic Communications Regulations, Security of Networked Information Systems Directive, the Freedom of Information Act and our other associated legislation.
That’s a mouthful. But it’s important to be clear the policy will apply to everything we do in one place, rather than the seven or eight documents you presently have to use.
And I can also be clear that, as with earlier editions of this policy, we will focus on areas of highest risk and most harm.
Our approach is designed to protect data subjects – individual citizens – but also ensure that business is able to function and innovate in the digital age.
The policy sets out our objectives regarding regulatory action. So, when we’re considering whether to take action we’ll be guided by these aims.
We’ll respond swiftly and focus on those cases involving highly sensitive information, lots of people or vulnerable people.
We’ll be effective, proportionate, dissuasive and consistent. We’ll target our most significant powers on repeated, wilful or serious failures to take proper steps to protect personal data and delivery information rights. Our formal regulatory action will serve as an important deterrent where it needs to.
We’ll support compliance with the law. We’ll promote good practice and provide advice on how to comply with all aspects of legislation as a first course of action. Where that advice is not sought or followed, more intervention can be expected to follow.
We’ll be proactive too. We’ll identify and mitigate new or emerging risks arising from advances in technology, for example. We will increasingly use our assessment powers to explore these in more detail and this will feed into our thinking about enforcement action.
And we’ll work with other regulators – at home and abroad. Because we recognise the interconnected nature of data flows in the expanding digital economy. Recent examples in Yahoo, Equifax, Uber and Facebook have shown that element of our work clearly.
These objectives will guide us when we’re exercising our statutory powers.
That means we will take proportionate action and exercise our discretion as to when, how and to what extent enforcement action is needed.
We will look at each case on its own merits. We’ll look at the features and context of each case. And, this is important, we will focus on areas of greatest risk to people – potential or actual harm.
We will reserve our strongest sanctions for breaches that present a high intrusion into people’s privacy, a repeated failure to meet rights or wilful acts to harm citizens.
The more serious, high impact, deliberate, wilful or repeated breaches can expect the most robust response.
And that brings me to fines again. Reports that we’ll be making early examples of organisations are wrong. We will remain proportionate. If a £20,000 fine was sufficient under the current DPA, it will probably be sufficient under the GDPR. We will not simply add zeros because the law allows for it. As now, we will share examples of our action so organisations can see how we are applying the rules.
Support, education and guidance will remain at the heart of our regulation but it is backed up by tough action where obligations are not met or are ignored.
The new law brings us new powers.
We’re also expecting more powers to be considered as law makers put forward amendments in the light of our ongoing investigation into data analytics for political purposes.
So we have quite a range of measures at our disposal. These will allow us to investigate well and also address better the issues we as a result of our investigations.
So, how will we look at issues. Well, like now, there’s a hierarchy of action. It starts with observation, intelligence gathering and monitoring and works up to individual case and appeal considerations as citizens complain to us. These identifications of issues lead to application of audit and assessment or inspection powers or information notices being issued to selected organisations to better understand an issue. Finally there’s formal investigation with statements, demands for access, warrants and, if necessary sanctions through enforcement notices and civil penalties or prosecutions where we need to look at and address the detail of an incident.
So, as issues escalate in frequency or severity then we can use more significant powers in response.
Although I should point out that we can use our most robust powers immediately in serious or high-risk cases where there is a direct need to protect the public from harm.
Our approach will also encourage and reward compliance.
Those who self-report, who engage with us to resolve issues and who can demonstrate strong information rights accountability arrangements, can expect us to take these into account when deciding how to respond.
You’ll know that breach reporting is changing under the GDPR and NIS. We have tried to develop a flexible system, reflecting that in early stages of a problem information about what has happened and how, is still emerging. I hope that, by now, you have processes in place to engage with us and report effectively in this context. If you want to know more there is comprehensive guidance on our website and I hope you found time to drop in to our session earlier this afternoon.
We will also provide opportunities for innovative products, services or concepts to be tested with appropriate regulatory oversight and safeguards, so that innovation and development is not over-burdened.
We’ll be consulting on, this, our regulatory sandbox, later this year.
We’ll adopt a selective approach to the action we take. When we’re deciding on how to respond to breaches we’ll consider a range of criteria.
Things like the seriousness of the breach including whether any critical national infrastructure or service is involved. We’ll look at the rights and type of personal data affected and any level of privacy intrusion.
We’ll also consider the number or people affected and the extent of any physical, financial or psychological harm caused.
We’ll look at whether the breach raises new or repeated issues or if there are concerns that technological security measures are not adequate.
We’ll look at the length of the breach and the cost of implementing protections against risk or harm.
We’ll take into account any public interest in regulatory action being taken. That means whether the action would act as an effective deterrent against future breaches.
We’ll also consider whether another regulator or enforcement body is taking action over the same thing. And, in relevant cases, we’ll listen to the opinions expressed by the European Data Protection Board. We envisage that we will continue our approach to set out our findings and invite representations on these and any level of penalty or enforcement action.
Again, as is the case now, we’ll consider aggravating or mitigating factors in each individual case. These factors and how they will be applied will be set out in detail in our policy document; we would welcome your views on these. We expect our consultation to start as soon as the preceding parliamentary stages of the Bill are complete. I do hope you will be able to find time to contribute to our thinking around the application of the new rules.
I hope this overview has been helpful.
If you didn’t already know, I hope today you’ve learned that our door is always open. Please come and talk to us, keep in touch through our social media platforms and keep checking in to the website. That’s where we’ll publish our Regulatory Action Policy in the next few weeks for consultation.