Elizabeth Denham’s speech at the Data Protection Practitioners' Conference on 8 April 2019

Original script may differ from delivered version


Good morning. Welcome to the DPPC, welcome to Manchester, and welcome to those joining via our livestream link.

We’re proud that what is the biggest event of its type takes place right here in Manchester. As I quickly learned moving to this wonderful part of the UK, there’s a real sense of civic pride here. People are proud of the history of their region. Proud of being independent and ambitious. And proud they continue to make an impact, 200 miles north of the capital.

I think those are all things the ICO can relate to.

If any of you have strolled here this morning from the tram stop, or from Manchester Piccadilly station, you may have noticed one of the latest examples of that civic pride.

Over in St Peter’s Square, a couple of minutes’ walk from where we are seated, is a statue of Emmeline Pankhurst, the noted suffragette. Emmeline was born in Manchester and founded the Women’s Social and Political Union in 1903. Some may dispute her methods, but it’s difficult to walk past that statue and not be inspired by her commitment.

Emmeline saw the world was changing, and she responded by making a positive impact.

That’s what I want to talk with you about today. I want to set out how I believe we’re entering a new stage in the GDPR’s development. And I want to talk about how that gives you, as data protection practitioners, an opportunity to make a positive impact.

It seems incredible that the GDPR still isn’t yet one year in. It feels like it’s been with us for such a long time already – is it really only ten and a half months?

But I think even so early in the new law’s lifespan, we’re find ourselves at a critical stage. For me, the crucial, crucial change the law brought was around accountability.

Accountability encapsulates everything the GDPR is about.

It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.

It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.

And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after.

But I’ll be honest, I don’t see that change in practice yet.

I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out.

And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional.

But it is an opportunity. Because accountability allows you, as data protection professionals, to have a real impact on that cultural fabric of your organisation. Beyond bolt on compliance work.

I can speak from experience here. I worked as a data protection officer for a health authority in Alberta, Canada, when a new privacy law came into force.

I was in healthcare, and I remember we had so, so many audiences: physicians, community nurses, administrative teams, volunteers, fundraisers… so don’t worry, I get the focus on ensuring compliance across the board first and foremost.

But it was the work after that, the second phase, post readiness, where the REAL opportunity to make an impact came. And by helping the organisation to understand the need to reassess the relationship with patients, employees, donors, residents and the general public, we were able to have a real and lasting impact.

I know, for a lot of the people in this room, and watching online, some of that this work is already underway. I reviewed the nominations for this year’s data protection officer award, and what shone through was the creative, dynamic and above all enthusiastic way people are going about their jobs.

Data professionals who are legal experts, but who are also business analysts, understanding how data protection fits with the vision of the organisation, and where it can be imperative, positive and transformative.

Data protection professionals who are also coaches, working to build a network of ambassadors within the business who understand what needs to be done.

Professionals who are also marketers, finding creative ways to get people to look up from their day jobs, and realise that they all need to buy-in.

It’s quite a skill set to be a data protection professional these days, eh?

But this next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes. An accountability approach gives those of you who have the skillset, who have the passion, a chance to see a changing world as an opportunity to have a real and lasting impact.

Closer to Manchester Piccadilly station, there’s another statue, to another noted figure in Manchester history. John Noel Nichols – a wholesaler of herbs, spices and medicines, at a time of change as the temperance movement gathered pace. Nichols saw the world was changing, and he considered that to be an opportunity. His response was creating the Vimto drink now sold around the world.

We all need that same vision now, to see the changes in the world around us and to use them as an opportunity to make a lasting impact.

That means doing things differently, and taking a fresh perspective to challenges. It’s an area where we’re trying to lead by example at the ICO.

We’ve taken the challenge of Brexit and responded with an international strategy that takes a fresh approach to our relationship with the world, and how we influence the global data protection debate.

We’ve taken the challenge of the pace of change in the digital economy, and responded by finding innovative ways to ensure we’re engaged in the right conversations, and expert enough to contribute to them. We’ve grown our expertise by recruiting from industry, by launching an AI fellowship, and by developing a secondment programme. We’ve also launched a sandbox programme – it helps innovative companies and public sector organisations developing new ideas around data, and is unique in Europe. There’s an opportunity today to find out how to get involved in programme – see our staff at our stand in the marketplace.

And we’ve responded to the growing demand for our services as a regulator. In our grants programme – which you’ll have a chance to learn more about today – we’re helping others to solve problems. And where we see problems ourselves, we’re looking to act.

Which brings us to today’s papers, where I know many of you will have read about the government’s white paper covering online harms.

I think the white paper proposals reflect people’s growing mistrust of social media and online services. People want to use these services, they appreciate the value of them, but they’re increasingly questioning how much control they have of what they see, and how their information is used. 

That relationship needs repairing, and regulation can help that. If we get this right, we can protect people online while embracing the opportunities of digital innovation.

The ICO has a role to play here, with personal data so central to so many aspects of online services. It’s another example of where we’re actively looking to get involved where there might be problems, not waiting to be asked to join in.

I hope that dynamic approach comes across in our schedule today. We’ve worked hard to pull together a varied and engaging programme, and I hope by the end of the day, you go away feeling a renewed ability to have an impact on your organisations.

I want to close by quoting from a third figure recognised in a Manchester statue – one whose home was much closer to my home, in Wilmslow.

Alan Turing said “We can only see a short distance ahead, but we can see plenty there that needs to be done”.

I think that is an apt comment to begin our day on. There is plenty there that needs to be done. Let’s get on with doing it.

Thank you.