Transparency, trust and progressive data protection

30 Sep 2016 03:11 PM

Elizabeth Denham delivered this speech, her first as UK Information Commissioner, at an event in London on 29 September where the digital and personal information economy took centre stage. In her opening remarks Elizabeth yesterday said: "One of the things I want to be clear about today is that I do not believe data protection law is standing in the way of your success." And she reminded her audience that: "It’s not privacyor innovation – it’s privacy and innovation."


Good afternoon. Thank you to Liz for that introduction – I hope I can live up to the billing.

I have to remind myself that only 12 weeks ago I was still living in Victoria, British Columbia – which is on another Island – Vancouver Island, named after Captain George Vancouver – a British naval captain and explorer.

My new home in Cheshire has many similarities to my former home – primarily that it rains a lot in both places – but when the sun comes out, as it has this month – both are a wonderful place to live.

So why would I move four and a half thousand miles, across eight timezones, to take on a role managing data protection at such a time of profound flux?

The short answer – I like a challenge. I also like the theme of this conference – Achieving Growth Through Trust. I agree with Crtl Shift’s message – trust can assist you in gaining a competitive advantage.

We’ve heard a lot today about the innovative, creative uses personal information can offer businesses if it is based on trust.

We have seen examples today of the potential power of 'Me2B' putting individuals in control of their information, we have heard about concepts of 'self sovereign identity', with individuals in control of a single identity verification tool. 

But however wide the range of possibilities there is a single common inescapable factor. Consumer trust is essential to achieving growth. 

I know the opportunities technologies can offer. I hear it first hand from my sons – one who is an app developer in Silicon Valley, the other a particle physicist teaching data analytics. I see it in the cases the ICO takes on.

But you also know that there are laws around how you are permitted to use personal data.

And those laws bring challenges to your technological innovations.

One of the things I want to be clear about today is that I do not believe data protection law is standing in the way of your success.

It’s not privacy or innovation – it’s privacy and innovation.

The personal information economy can be a win win situation for everyone. Get it right, and consumers and business benefits. So where do you start?

Firstly you need to make sure you’re following the law as it stands – which is a blueprint for responsible data practices.

You also need to make sure you’re building something that is future proof to withstand the law of tomorrow.

And most of all, you need to make sure that whatever direction you’re taking with people’s information; you’re taking those people with you.

But like anything worth doing, it starts with a plan – a privacy by design plan.

The plan requires thought, care and a commitment to your customers– you need to build the considerations for privacy into your projects right from the beginning to make it work.

And as you’re constructing your privacy framework, you’re also laying down the foundations of trust, and, as we know from today’s conference, trust is integral to your innovation. Trust also builds reputation, and both can be easily lost when consumers discover you haven’t been completely honest about how you are using their information.

Biography and philosophy

For those of you who haven’t come across us before, the ICO is one of the main regulators in the digital space. If you’re using personal data or direct marketing, we’re the independent UK regulator enforcing the laws that govern privacy. 

Wherever you are in the world the themes of good data protection are the same – that consumers’ have the right to know what’s happening with their information combined with business transparency and accountability.

I’ve worked as a regulator of privacy rights and information access for more than twelve years and one of my main aims is to stay relevant – to citizens and consumers. When I look back on what I am most proud of in my time in Canada, it is the casefiles where our work made a difference to the public.

It’s where our investigations pulled back the curtain on new technologies, to help the public better understand the technologies themselves and their impact on personal privacy. Privacy law can give both consumers and business a lens through which to assess the opportunities and threats of a new technology or approach.

An ICO survey earlier in the year showed only one in four UK adults trust businesses with their personal data. Only one in four, that’s seventy five percent of people who don’t trust businesses with data. 
If three quarters of your customers were suspicious about your methods, your business would be in trouble.

The fundamental objective of my five-year term as Commissioner is to build a culture of data confidence in the UK.

We don’t just need you to tag along. We need you and your companies to lead the way. We want to hold companies up as great examples of how privacy and technology can work for consumers.

The ICO will do its bit by focusing our advisory, education, investigatory and enforcement work on consumer control, transparency and fairness.

At the end of my five year term my wish is that we are at a place where citizens and consumers have much more confidence in organisations’ use of personal data. I want that survey figure of one in four to go up.
So how are we going to do this?

The ICO is a tech-savvy organisation, but we want to do more. We are building on our own capacity for technology by analysing more, researching more, and embedding technology into the future of the ICO. We are also seeking partnerships with universities and we aim to support research into privacy by design solutions.

I am creating a new position of chief technology advisor to help with this, and extending the technology team by hiring new talent (if anyone’s available you can see me later)

We are identifying new policy priorities which promote a responsible approach – ultimately leading to greater trust in businesses and in public bodies.

As an independent regulator we have powers to issue fines of up to half a million pounds which could eventually rise to four percent of a business’ global turnover. In an ideal world we wouldn’t need to enforce, but we will use the stick in the cupboard when necessary. And remember it’s not just about the money – it’s about your reputation too, with your customers, the public and in the media spotlight.

We’ll be choosing our investigations carefully making sure they are relevant to the public – the results of which can cascade across a sector. Technology is already at the forefront of most of our major investigations – last Friday we stepped in to ask questions about the Yahoo data breach involving eight million UK accounts.

We are currently reviewing data sharing between WhatsApp and other Facebook companies – all of this is about transparency and individual control.

No regulator has enough resources for all audits and systemic investigations – the office has to look at investigations that have the largest impact on the privacy rights of individuals. As technology is reaching critical mass and the sophisticated uses for data increase the ICO will undoubtedly be delving deeper into the workings of your sector. 
Whatever data protection law we have post Brexit, I expect to see organisations taking responsibility for their actions, no matter how quick the technological change.

Accountability is right at the centre. It’s your job, it’s your company’s job, to understand the risks you’re creating for others, and to mitigate them. It’s your job to invest in privacy fundamentals upfront, before systems are built, and the foundations of data processing are laid . . . rather than trying to tell people what you’re doing when you’ve already done it, with data flows are already turned on.

Sure, as a regulator, we take some responsibility to shine a light into the far corners of a new development on behalf of the public.

We’ll check – for consumers – that you, the businesses are following the law, and help consumers make informed choices.

And we offer guidance for you too. Our website is a packed with help and advice.

But the impetus is on you. The exponential opportunities of data give you a position of power and with that comes great responsibility. If you want to innovate using personal information, you need to take that responsibility seriously.

Shine your own light on your services and projects. Demonstrate to customers how you’re following the law. And then stand ready to demonstrate your program to my office.

Brexit and the GDPR

You’ll probably be asking me which law exactly I want you to be following, particularly in two years’ time.

And make no mistake – Brexit makes the job I accepted earlier this year, more challenging…but we’re well prepared.

You may not realise but we’ve had data protection law in the UK for the last thirty years. The current Data Protection Act, may have been based on an EU directive since 1995, but the UK had already introduced the concept of data protection law ten years before the European Union.. With the changes in technology and the growing intolerance for data misuse we’ve known for a long time the law needs reform, it needs modernisation.

The General Data Protection Regulation or GDPR replaces the 1995 directive and brings the law into the 21st century. Countries who are part of the EU are now preparing to adopt the new law in 2018. The Referendum result has thrown our data protection plans into a state of flux.

What hasn’t changed are the strong data protection rules the UK already has. We need those rules to ensure cross-border commerce, not to mention the privacy protections citizens and consumers expect.
So where do we go from here? What happens in May 2018? And how does UK data protection law look beyond that? We’ve been asking ourselves the same questions.

Let’s start with the known knowns. It is extremely likely that GDPR will be live before the UK leaves the European Union. Remember that the GDPR is actually already in force, it is just that Member States are not obligated to apply it until 25 May 2018.

The digital world is a smaller world. Copenhagen consumers are closer, Sofia’s citizens aren’t so far away. For most people in this room, the GDPR will be something you’ll have to follow, to do business where you want to. 
GDPR brings in new elements – and a more 21st century approach – the right of consumers to data portability is new, as is mandatory data breach reporting, higher standards of consent, and significantly larger fines for when companies get things wrong. But the major shift in the law is about giving consumers control over their data. It ties in with building trust and is also part of the ICO’s philosophy.

We are helping you to get ready for the new law – and we will continue to provide advice and guidance around GDPR, whether you’re a business with 400 customers or 40 million.

What about the known unknown territory? That’s those of you who only operate in the UK. We know it’s up to government what happens here, both in that middle period from May 2018 to whenever the UK formally leaves the EU, and beyond.

The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK.

The adequacy issue is one I’ve experienced first-hand. The impact of the demise of Safe Harbor, the data sharing agreement between the EU and the US, had repercussions outside of the US. In Canada many were questioning whether the European Union Court of Justice’s threshold for privacy could call our own adequacy into question. I understand this arena. We’re talking about proper protection for consumers, about certainty for business, and about strong independent oversight of the law.

We’d all like a concrete answer about the specific outlines of post Brexit data protection law. We know businesses don’t generally like uncertainty. But in the end, it’s government that will have to decide.

Legislative change does bring nervousness, but it also brings opportunity. These changes – stronger data protection law and enforcement – are aimed at inspiring public trust and confidence. GDPR is an incentive to improve your practices, to sharpen things up, and encourage organisations to look at things afresh.

That’s what you’re doing here today around the opportunities that personal data can offer.

That’s what I’m asking you to do around how you look after that personal data.

The future of the law

The future of the law is an opportunity for government too. Being ‘open for business’ means more than just saying you are. It means having a digital economy, being digitally enabled. And data protection is central to that. This is nothing the government doesn’t already know.

When the UK leaves the EU (based on what we know today – 2019 or later) a new data protection law will need to be in force.

I’m having active discussions with Ministers and senior officials in government, and have transmitted our view on the future of data protection law. We believe that future data protection legislation, post Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public.

The aim here is not a data protection regime that appeals because it is overly lax or “flexible”.

The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe.

Regulators generally don’t lobby, and ultimately we work with the law government give us.

But when the conversation is about the future of data protection in the UK, the ICO is determined to be part of that conversation. We have thirty years’ experience as a regulator in a changing environment. We don’t want to talk legislative minutiae, but to look at the key principles that should underpin the future of privacy law in the UK.


I have heard today about the work you are doing to build communities. To simplify our lives. Connect us with others. But there’s a challenge too. Your super connected systems demand continuous access to people’s lives. They ask us to give our information in new ways, and to trust that information will be used ethically and kept safe from the bad guys.

As I said at the start, it doesn’t need to be an either-or situation. It isn’t technological advance or privacy. We can – and must – have privacy andinnovation.
It is an exciting time, with change happening day by day, hour by hour. Your job is to make sure that change, so reliant on people’s personal information, doesn’t leave those people behind. You need their trust to achieve.

Thank you.