Elizabeth Denham's keynote speech at the IAPP Europe Data Protection Intensive 2018, London, 18 April 2018

Information Commissioner Elizabeth Denham talks to the IAPP about how the ICO is preparing for the GDPR, its powers, its focus on technology, its future in Europe and, ultimately, how it will increase public trust and confidence.

Original script may differ from delivered version.

Introduction

Good morning everyone! In preparing for this keynote speech, I looked back on IAPP speeches and panels I have given over the years – at the Global Summit in Washington, at the Europe Data Protection Congress in Brussels, at various Knowledge Nets in the UK and Canada — and realise that I have been speaking at IAPP events for 10 years!

The Europe Data Protection Intensive is a new event for me, though, and I’ll have to see if it beats the fun of the annual Commissioners’ Game Show at the IAPP Canadian Privacy Summit - I think fondly of the hijinks over the years – especially here in 2015 wearing my hometown Vancouver Canucks jersey to play on a privacy trivia panel with my Canadian federal and provincial colleagues. The Canucks are an NHL hockey team for the information of all of you football fans out there.

Congratulations to IAPP colleagues on this sold out event; it is clear, that there is a sense of community – of all of us in this endeavour together.  And, it is a community, defined by a commitment to excellence in data leadership and maintaining and promoting excellent professional standards — all things that are going to be increasingly important as data protection continues to develop professionally over the coming years.

It’s fantastic, to see everyone in the capital, so close to the iconic Tower of London – a building, which has survived over a thousand years of history; some of it tranquil, but much of it turbulent.

Which brings me neatly onto the current state of data protection and privacy…..

In all seriousness, I don’t need to tell you there has never been a better time to be in data protection. 

Changing world

The Cambridge Analytica- Facebook allegations, revelations and discussion in the UK, throughout Europe, in the US, and beyond is an opportunity for focus on privacy.

The debates on how to ensure data protection rights — taking place at the UK and US government levels — the data analytics investigation underway in my office, and the interest in this file by other national regulators, are effecting change around the world.

I also sense a shift in the posture of industry with regards to privacy regulation in the US.

“Intensive” - is a good word, to describe this event – because the expectation and scrutiny on all of us to step up and make change is intense.

It is clear, to everyone, that data protection is essential for our democracy.

Enforcement

It is why, last spring, my office launched a comprehensive investigation into the use of personal data and data analytics in political campaigns. The Cambridge Analytica- FB allegations is only one line of inquiry in our investigation, but of course heightened in February with whistleblowers and witnesses coming forward. In all, we are looking at 30 organisations – social media platforms, data companies, campaigns and political parties to pull back the curtain on the use of personal data in modern political campaigns.

Our report will describe the realities of data-driven political campaigning: are the rules clear? Are there no-go areas? How is personal data use enabling the micro targeting of adverts and campaigns? What public policy changes can we recommend?

One thing I will say, is that I’ve never been involved in an investigation playing out so publicly with witnesses giving evidence to the media, Parliament and publishing online. Speculation is rife, but our investigation will be thorough, independent and focused and we will make our findings and conclusions public.

If we find that the law has been broken, we will take the necessary enforcement action. But as I have mentioned, the investigation is ongoing and therefore it would not be appropriate for me to give you a running commentary.

But, I do want to use this case to comment on our powers — and the unique nature of data protection regulation.

Powers

As a regulator, we need to investigate systems in situ, to see how personal data are actually being used and managed. The unique nature of modern data protection regulation is that our role involves understanding the effect of algorithms and analytics. We have to look for inter-relatedness between data sets and the effect they have on decisions. We may need to see these effects in short time periods in the context of a fast-moving investigation.

Under the GDPR I will have the power to audit all those who hold, use and share personal data. In other words, soon I will be able to look behind the curtain and see what those who hold our data and personal information are doing with it.

But, in the context of this particular investigation, the GDPR audit power is already being outpaced by technological advances in data analytics. I want to see this addressed.

I am in intense consultation with government, to ensure that, as part of the Data Protection Bill, the ICO has the ability to move more quickly to obtain the information we need to carry out our investigations in the public interest.

We need to respect the rights of companies but, we also need streamlined warrant processes with a lower threshold than we currently have in law. 

We need the regime to reflect the reality that data crimes are real crimes. As society moves increasingly online, data protection law needs to have the comprehensive reach people would expect of laws in the physical world.

I want to tell you, this morning, about how I am reshaping my own organisation so that we are the relevant, future- focussed regulator that you need us to be.

The ICO prepares for the GDPR

DP-Day – is only 27 working days away. But 25 May will merely mark the end of the beginning of a very long journey for the data protection community.

As the regulator of the GDPR – we support, educate, consult, audit and enforce.

And we’re expecting more of everything. More breach reports because the law requires it in high-risk cases. More complaints, because people will be better informed of their rights. Greater engagement as you turn to us for advice at the outset of projects and submit your DPIAs to us.

ICO people

I am leading an ICO that’s made up of incredibly committed people who are equipped to meet those challenges - and the opportunities - that lie ahead.

I am strengthening my team in both number and expertise, and we’ll be ready to deliver our new responsibilities and obligations to organisations and, most importantly the public.

Our future funding model has also been agreed by parliament, taking our current budget of £24 million per year to £38 million in 2018/2019.

We are recruiting all levels of staff, including ten newly created director roles, across the UK —at our offices in Edinburgh, Cardiff, Belfast and London as well as Wilmslow - to give us the capacity, capability and resilience to tackle our developing regulatory brief.

We have a current headcount of 520. We expect numbers to continue to increase to 700 by 2020.

Right now we have around 200 case officers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and guidance.

We’ve provided a whole suite of resources on our website, including guidance (our Guide to the GDPR has been accessed over 2.5 million times), interactive toolkits, checklists and sector-specific FAQs.

And we’ll be assessing the demand for our services as the GDPR goes live and beyond, adjusting our plans accordingly.

Technology - the new spine of the ICO

There’s nothing like taking advantage of a comprehensive change to the law to develop, to grow and to re-invent ourselves. Over the past eighteen months the ICO has undergone a phenomenal internal change programme.

We know we need to be a tech savvy, relevant regulator which is why I have recently published the ICO’s first Technology Strategy.

Our focus

We have identified three areas of focus: cyber security, artificial intelligence, and device tracking.

These three areas will inform our guidance, our proactive work, our investigations, audits and advisory services.

Taking proactivity further, we want to recognise that innovation is essential in this space. We are working to establish a ‘regulatory sandbox’, for you to beta test new initiatives, supporting innovative digital products and services, whilst ensuring the right safeguards are in place.

We intend to focus on AI applications and will launch the program in 2019 after this year’s consultation. I hope you’ll engage fully with our consultation and give us the benefit of your industry experiences.

This technology strategy is based on the strong belief that privacy and innovation go hand and hand. It also allows us to develop our own skills, recruiting and retaining technology expertise and establishing partnerships on tech issues with outside experts, other regulators and international networks.

We’ve launched an active secondment programme which so far has brought an influx of new talent into the office in the form of legal staff, auditors and international liaison experts. This program is open ended so we are still delighted to hear from anyone who believes their skills and experience would complement the ICO.

Digital regulation has become the spine or the backbone that runs throughout the organisation.

New regulatory action policy

I’m also taking the opportunity to re-launch our regulatory action policy, which sets out the practical and policy approach we’re going to take in discharging our duty as the UK’s data protection regulator. There’ll be more on that from my deputy commissioner James Dipple-Johnstone tomorrow.

Myths and facts

I have spent a lot of time busting myths in this area, particularly the misinformation about massive fines being an ICO default under the GDPR.

I have no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route.

But we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law.

Report to us, engage with us. Show us effective accountability measures. Doing so will be a factor when we consider any regulatory action.

And we now have a whole new set of tools to compliance. Privacy by default and design, Data Protection Impact Assessments, accountability mechanisms, data protection officers … all these things – and more – form an integrated package.

And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice.

Compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders are often more appropriate tools.

None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies’ bottom line.

Another of the myths I have worked hard to dispel is around data breach reporting under the GDPR.

It’s always worth repeating: you will NOT need to report every single personal data breach to the ICO.

But where you do need to report we have made the reporting process simple and effective. Part of our change programme has included researching the best ways to manage the new volumes of work created by the GDPR’s reporting requirement.

Looking across to the Continent has helped us plan in an informed manner. Extrapolating from the work of our Dutch colleagues, we planned and put in place a breach reporting service that could handle 30,000 reports a year. Quite a challenge to resource. And so we’ve built a telephone based reporting service that ensures a fast, direct entry point to the ICO.

Call our breach reporting line and you’ll get a human response; our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days.

We’ve built a dedicated team to deal with data breach reporting and we’ll be extending the hours of the office to manage reporting under the GDPR and NIS Directive.

UK Government and Brexit

When I accepted the role of Information Commissioner, I expected challenge enough to bring in the new data protection laws and representing the ICO at the Article 29 Working Party, as it morphs into the European Data Protection Board.

What I hadn’t anticipated was the result of the Referendum on 23 June, 2016. The referendum result’s impact on our legal and policy relationship with Europe has occupied much of my time since I took up this role.

As Commissioner, one of my important jobs is to objectively advise government and parliament on law reform that ensures high standards of data protection for UK citizens and consumers, wherever their data resides, uninterrupted data flows to Europe and the rest of the world; and legal certainty for business and law enforcement.

Government has explicitly said it values data protection as fundamental to the digital economy and security cooperation. Data protection is a priority area for the Brexit settlement.

Right now, we are playing a full role in EU institutions, and are fully immersed in creating guidance for the GDPR. We are also preparing for the post-Brexit environment in order to ensure that the information rights of UK citizens are not adversely affected.

Unfortunately, the most significant “unknown” from my point of view is the exact nature of relationship with our DPA colleagues across Europe.

During two recent speeches the Prime Minister has made the case for an ongoing role for the ICO – whether that’s a seat on the European Data Protection Board with voting rights or some other form of relationship, the government and the EU can decide.

The ICO is deeply committed and embedded in the EU regulatory community.

And that is the message I’ve been giving to Parliamentarians when giving evidence to Committees looking at the implications of Brexit.

Same three EU phrases

The Government thus far has made good on its commitments to fully implement the GDPR – it clearly appreciates the importance of high standards of data protection. I think the Government should be commended for their commitment and effort in this regard.

And, through our expert advice to the Government, and our strong engagement with the Article 29 Working Party, we are striving to ensure that the priorities I identified become reality.

Our ultimate goal

Further to our focus at this Conference, let’s remember why we are doing this — it’s all about people and increasing the public’s trust and confidence in the way their data is handled. This is a very high priority for me as I know it is for you. 

I think the recent revelations in the media have fired up the data protection debate.

And so they should; across the world people are beginning to wake up to the importance of personal data, and it is up to us – as regulator and those striving to comply with the law – to keep that fire burning.

If we fearlessly and tirelessly apply the principles that the ICO and the IAPP hold dear, we can build people’s trust and confidence because their data matters.

There has never been a better time to be in this rapidly growing data protection community.