Thank you for that kind introduction. It’s a pleasure to be here.
It’s clear talking to people here today that the DMA members are ICO customers. Your work is our work. There’s an enormously broad range of people here today. List brokers, lead generation organisations, marketing companies, fundraisers, in house teams and consultants. Some of you are from sectors that largely get it right. Some of you are from sectors that haven’t had such a strong track record. But by being members, by being here today, you are showing that commitment to improve. To follow the law, and to aspire to best practice. Hopefully I can help you further today.
Because to quote an old soul song, now is the time to set things right.
It’s one year on from my predecessor Christopher Graham standing before you on this stage. As he stood here in chilly London, I was in no less chilly British Columbia, learning I’d been selected as his replacement – subject to the not so small matter of passing a parliamentary select committee and getting the final nod from Her Majesty the Queen.
What a packed twelve months it’s been since then. Just looking at the data protection sphere, we’ve had confirmation of a new law from the EU, followed by confirmation the UK would leave the EU. We’ve run high-profile investigations: Yahoo, WhatsApp and Facebook, the charity sector. We’ve issued our largest fine to date, to TalkTalk.
And then there’s the nuisance marketing. 160,000 complaints in the past year. Leading to no fewer than 17 fines for nuisance calls and texts. It’s clear this is an issue the public cares about. Last year Christopher Graham used this platform to thank DCMS for stronger nuisance call fining powers. I’ve stood by the promise to use those powers, and our actions have been well received by citizens we have spoken with. Since April last year my office has issued more than £1.3million worth of fines. We’ve got at least that again in the pipeline.
Then there’s the transfer of the Telephone Preference Service to the ICO, which means complaints about rogue cold callers will now be passed even more efficiently to our enforcement officers. That will give us more information about what is frustrating consumers, and will help in actions to help them.
We’ve already seen evidence of how that could happen, with a recent £40,000 thousand fine prompted by TPS complaints.
We’ve had frustration too, with directors ducking away from fines by putting their company into liquidation. Liquidation isn’t a get out of jail free card – our work with insolvency practitioners saw one director disqualified for six years for trying to take this route – but we believe the public want to see stronger action. That’s why it was pleasing that the Right Honourable Matt Hancock announced plans to give my office the power to hold company directors directly responsible for breaking nuisance marketing rules. That’s scheduled for spring 2017. Tougher rules will make it harder for directors to leave by the back door as the regulator comes through the front door.
This all has to be good news for the people in this room. It improves the public image of your profession. It removes the bad actors diminishing the returns your activities can achieve. It removes the bad actors undercutting you by cutting corners.
I know that’s work the DMA is committed to as well. The DMA offers practical feedback on our guidance on your behalf, and this constructive relationship will continue as we develop our direct marketing guidance to a Code of Practice over the next year.
But I want to talk about more than fines today. The regulatory part of our role is only that – part of our role. The other part of our work is educational. I want to talk about the benefits of best practice, about the changes GDPR will mean to your industry, and about what you can learn from other sectors.
The GDPR is at root a modernisation of the law. The world has changed a lot since 1995, not only technology, but your own business models, people’s attitudes to their data, their demand that their information is properly looked after. The law needed to change too.
The GDPR gives consumers more control over their data. Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it.
And they’ll have the brand new right to data portability: to obtain and port their personal data for their own purposes across different services.
The GDPR will include new obligations for organisations. Perhaps most relevant to people in this room, there’ll be a toughening up on the rules around consent. It will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent. My office will be publishing guidance on this in more detail in March.
But what I want to talk to you in detail about is part of the act that you might not have focused on so far. Accountability.
Because what changes with GDPR is a shift in focus. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead pushes you to build a culture of privacy that pervades your entire organisation. It means taking proper consideration of what your customers expect.
The people in this room should be a step ahead. The DMA Code aspires to a higher standard than the law requires. It emphasises fair treatment of customers, and – crucially – it appreciates that the customer-business relationship is a value exchange that both parties should benefit from.
One of the first steps to accountability is understanding that the benefits of getting this right are greater than just legal compliance. What organisation in this room doesn’t value customers’ trust? Isn’t that intangible relationship with customers: loyalty, trust, reputation, something that drives the success of your marketing?
A good way to look at it in terms of direct marketing is to think about surprise minimisation. What are people expecting you to do with their data? Would they be surprised if they learned what you had planned? This isn’t just about having a good, clear privacy notice at the outset, but also about having customers’ trust that you won’t change your mind and do something different with their data.
Now’s a good time to mention the charity sector.
Over the last 18 months or so my office has undertaken a series of investigations into the fundraising practices of numerous charitable organisations.
Our investigations were into fundraising practices, into how they marketed themselves to encourage donations, but what we were focused on wasn’t the Privacy and Electronic Communications Regulations. This wasn’t about whether they had permission to make calls. What we uncovered were serious contraventions of the Data Protection Act around how they pulled together lists of people to market to. The details they added to that list. And there were contraventions that undermined fundamental privacy rights of donors.
I’m talking here about wealth screening or prospect research, without any thought of what would-be donors might think. Of not accepting that a customer doesn’t want to provide a phone number, and going out to find a way to get hold of that information anyway. And of buying and selling lists of potential customers like they were a basic commodity.
One charity complained to my office that what we were asking them to do around wealth screening – expecting charities to tell people that they would use their personal data to get more information, and ultimately rank donors based on how much they earned – would put people off giving their details in the first place. But that’s the point. And that’s where this is so relevant to everyone in this room. If you can’t happily justify what you’re doing to your customers, it’s unlikely to be within the law. You don’t have a fundamental right to take people’s information and use it however you see fit, even if it does help your marketing.
There’s a bigger picture here. I think people have never been more aware of their rights, but consumer trust hasn’t followed that. It’s a focus of my office’s strategy to make a difference to the public over the next five years. And I’ll be asking organisations help me do that by putting accountability to people at the heart of their practices.
It goes back to that accountability, that culture of your company. And by the way, that includes considering the attitudes of companies you work with. Earlier this month we fined a list broker, because they hadn’t told people on their list how their information was being used.
We also fined the company who’d used their list, and sent messages to people who hadn’t actually consented to receive them. I know some of you in the room are data brokers, and so I hope this will be music to your ears – we want to take more action in the next twelve months against the bad actors in this sector. You can expect to hear more on that in the coming weeks.
I’ve spoken a lot about GDPR and what businesses can expect in the future, but let’s acknowledge there is uncertainty too. The big question is what happens when the UK leaves the EU. The legal relationship answers are for government to give – I’m a regulator, independent of government – but they’ve made it clear that EU law will remain UK law, until the government sees fit to repeal it.
Of course it’s possible that in the years after the UK leaves the EU, Parliament will debate amending the requirements of the GDPR. If that happens, we’ll be at the centre of any conversations around this, and will be banging our drum for continued protection and rights for consumers and clear laws for organisations.
The government will also need to answer the question about whether the UK will seek to keep the UK’s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries. We need strong data protection laws to achieve all that. I don’t see the rules on consent or marketing being loosened.
The eprivacy regulation currently being debated in Europe is of note here. The detail is still being debated, but a default for all consumer marketing to be opt in is in the current draft. And we do know the final law will be drafted to sit alongside the GDPR.
There’s plenty for you to be getting ready for, then. So what can I as a regulator do to help you? The ICO has just published an updated overview of the GDPR. It highlights the key themes of the new legislation, pointing to the similarities with the Data Protection Act, and explaining some of the new and different requirements.
There are sections in there on the principles the act is based on, the new rights enshrined for individuals, and also some detail on the derogations we might see, that allow for different countries to have subtly different laws.
Your organisation’s attention to our guidance documents is an essential starting point to learning more about what’s coming in 2018. And it will be a living document, with text added on different points as more guidance is produced. That’ll include the guidance on consent I mentioned earlier, and guidance around contracts and liability, both due early this year
It’ll also include links to guidance produced alongside our counterparts in Europe, as and when that is ready, including documents around aspects like data portability and the role of data protection officers.
If I could give you just one piece of advice today, it would be not to put this off. The GDPR is happening. It will mean changes to how you do things. And the fourteen months until the law’s implemented will go quicker than you think.
I am committed to do everything I can to improve the state of trust that citizens and consumers have in the use of their data. Those of you here today also have an important role to play – together we can build a better system.
Thank you again for inviting me to this conference. If we have time for questions I am happy to take them.