GDPR and accountability
Introduction
It’s a pleasure to be here talking about privacy regulation in the digital age. As those of you who have come across us before will know, the ICO is one of the main regulators in the digital space. We’re the independent UK regulator enforcing the laws that govern privacy. If you’re using personal data, including for direct marketing, we’re here to help you get it right.
It’s a big job. We took almost 200,000 calls on our helpline last year. And on the other side of our role, we issued more than 1million of fines to organisations that got it wrong.
And it’s a job that’s getting tougher.
However fast regulation moves, technology moves faster.
Especially as far as data is concerned.
Companies today are using data in ways that were unimaginable when the current Data Protection Act was being drafted.
We’re talking about an era of no Google. No Facebook. Clunky desktop computers with less processing power than we all now have in our pockets and purses.
An era where you hailed a taxi in the street, and the only detail the driver knew was where to drop you off.
Today, Uber can look at a digital map of all their cars in real time, and track where you are even in the minutes after you’ve finished your taxi ride.
When the Data Protection Act was conceived, the idea of one company being able to see tens of thousands of taxi rides in cities worldwide was science fiction.
In the coming years, connected cars, fridges, ovens, and more will be designed to make our lives easier.
But if the past is any guide, they’ll also throw up issues which the legislation hasn’t foreseen.
Artificial Intelligence, machine learning and sensor technologies will do the same – growing the ‘internet of things’.
That’s a challenge for the regulator, but it’s a challenge to businesses who want to – who have to – comply with the law. We’re all going to have to change how we think about data protection.
New legislation
Least of all because there’ll be a new law to follow. The GDPR. For the uninitiated, in May 2018 we’ll have new data protection legislation, both here in the UK and across the EU.
The General Data Protection Regulation builds on the previous legislation: but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection – something I want to focus on tonight. The message about GDPR is continuity and change.
There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.
Data protection for accountants
And of course that includes you in the room.
On a basic level, your jobs involve handling personal data. Payroll info, employee details, people’s expenditures. It’s your responsibility to keep that information secure and ensure that individuals’ rights are respected, with the risk of enforcement action and damaging publicity for your company if you get that wrong.
The GDPR doesn’t change that. If anything, it places more onus on you to handle information correctly. For the businesses you work with, that includes keeping data secure by protecting it from cyber attack, a growing area of risk.
The government’s recent cyber risk survey found that whilst 69 per cent of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation only half of businesses have actually taken action to identify cyber risks.
The ICO has already produced guidance for SMEs on IT security and I would also recommend consideration of the government’s cyber essentials scheme to assist in identifying the actions you need to take. You can expect to see more guidance on this in the context of GDPR.
The GDPR brings a change in the rules if you’re a data processor, processing personal data on behalf of another business – you’ll have more direct compliance responsibilities than under the current law.
But what I want to talk about today addresses more than what you do in your professional practice.
I know that for most businesses, you’re not just the people who do the accounts. You’re a source of advice, good practice, assurance and protection from risk.
You’re in a good position to explain to your clients and organisations how the issues I’m going to talk about today are a competitive advantage if they get them right.
That’s where I need your help. I hope that this talk is a starting point for discussions with the businesses you serve. I’m going to be talking a lot tonight about the importance of accountability. I’m hoping that you can then talk about this with your clients.
This is especially critical for the small business sector.
99% of the UK’s 5.5 million businesses employ fewer than 249 people, and the proportion is growing.
When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.
And it’s harder for me as a regulator to communicate with them. When I give an interview in the media about what a business should do to protect its reputation from data mishaps, I don’t know whether it gets through to the long tail of small businesses in this country.
At the ICO we understand the importance of clear and plain English guidance for SMEs – in areas such as direct marketing our guidance includes easy to follow guidance. We also use videos and social media to make our key messages more accessible. But we know that there is still more to do and we need to continue to listen.
The ICAEW members advise 2 million small businesses in this country. Many of you sit in the room with them every day. Hopefully what I set out today will help you to help them.
So I want to talk to you about what the GDPR will mean in practice. I want to explain why businesses have to get this right for their customers – why this is about more than legislative box ticking. And I want to explain how accountability is at the centre of all of this: of getting it right today, getting it right in May 2018, and getting it right beyond that.
GDPR
We know that the GDPR will need you to make some changes to the way you do things.
The GDPR is at root a modernisation of the law. Many of you will agree that the reform is long overdue. The world has changed a lot since 1995, not only technology, but business models, people’s attitudes to their data, their demand that their information is properly looked after. The law needed to change too.
The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it.
And they’ll have the brand new right to data portability: to obtain and port their personal data for their own purposes across different services.
The GDPR will include new obligations for organisations. Businesses will have to report data breaches that pose a risk to individuals to us at the ICO, and in some cases to the individuals affected.
They’ll have to ensure that specific protections are in place for transferring data to countries that haven’t been listed by the European Commission as providing adequate protection, like Japan and India.
Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent.
And finally the GDPR will increase regulatory powers. More on that later.
Accountability
But arguably the biggest change is around accountability.
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
I am proud to say that Canada has led the way in this area, so I’m well placed to comment on how this works in practice. And the answer is pretty damn well.
Canada was the first jurisdiction to write an accountability requirement in its data protection law, back in 2000. The legal requirement moves businesses away from the “paperwork of privacy syndrome” with policies collecting dust on a shelf, no one designated as a data protection lead, no up-to-date training, no risk assessments.
Data Protection Commissioners in Canada began to focus on policy advice, investigations and audits with an accountability focus – making it clear to organisations that the whole (a fulsome privacy management program) was greater than the sum of its parts.
In British Columbia, my regulatory office investigated a power company rolling out a smart meter programme, an auto insurance firm implementing facial recognition, the provincial ministry of health enhancing the use of data analytics. We didn’t just investigate whether these new specific initiatives complied with the law, but evaluated and reported out on how well organisations met their accountability requirements across the entire business. Their capacity and controls to assess privacy risk in all business processes.
And then we started to see a cascading effect. Peer companies adopting comprehensive programmes too. Businesses seeing the value of accountability to client relations and customer retention.
It’s a principle that quickly travelled across the Atlantic to become part of European data protection (with me following not far behind it).
The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and privacy by design – are now legally required in certain circumstances.
It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.
But this shift in approach is what is needed. It is what consumers expect. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way.
Consumers feel a loss of control
Because I think it’s clear that a lot people feel they’ve lost control of their own data.
People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.
That sense of loss of control impacts their trust in businesses. The last ICO survey found 75 per cent of adults in the UK don’t trust businesses with their personal data.
Think about that. Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.
Imagine if 75% of us didn’t trust businesses to be honest about pricing, or to keep their own service agreements. We’d say something fundamental had broken down.
Think back to the mid-nineties. This was a world in which most of us had a relatively straightforward, one-to-one brick and mortar relationship with each company we dealt with. If we wanted to bank, we went to the bank; if we wanted groceries, we went to the super-market.
Now there are more chains of companies online, more profiling and sharing of data, more consolidation of companies. Often times, an individual has no idea where their personal data could end up.
Take the cyber attack on TalkTalk in 2015 that you’ll have all read about. Names, addresses, dates of birth, phone numbers and email addresses of over 150,000 customers were compromised. 15,000 peoples’ bank details.
But a lot of the stolen data came from a database compiled over a decade earlier by pay-tv company Tiscali, which TalkTalk acquired in 2009.
Nobody who gives their bank details to a small pay TV company a decade ago would have imagined they might be stolen years later from a telecoms firm.
But this example understates the loss of control.
In the early years of this decade, many of us downloaded a little-known messaging app called WhatsApp.
Take it from a Canadian living in Cheshire with family scattered across the world, WhatsApp is a great way to keep in touch.
Of course it requires access to a good deal of sensitive data, least of all your phone contacts.
It’s not hard to imagine a situation in which someone would store a number which is pretty sensitive, like the number of a counsellor or an addiction clinic.
Now, there are already millions of people around the world who share more information with Facebook than they tell their friends. Even if you’re careful about what you post, its location settings can still show where you were, for example, and how long you stayed.
So when Facebook bought WhatsApp, and then WhatsApp last year notified users of its intention to share some data with Facebook, users were concerned.
The worry some customers could be facing is what picture might be painted if the company chooses to put the two sets of data side by side.
As the data protection regulator, we’ve got a role to play: we’ve set out the law clearly to Facebook and WhatsApp. We’re pleased that they agreed to pause plans for some data sharing.smith We asked both companies to sign an undertaking committing to various improvements, and discussions on this, both from our office and alongside other data protection authorities across Europe, are ongoing.
But none of that changes how some consumers will now think of WhatsApp. Those who were happy with the data deal they’ve agreed with one service, happy with the deal with a second, but taken by surprise when the two services come together.
Surprise minimisation
I think that goes to one of the real foundations of good data protection accountability: surprise minimisation. What are people expecting you to do with their data? That isn’t just about having a good, clear privacy notice at the outset, but also about having customers’ trust that you won’t change your mind and do something different.
Because isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?
Let’s talk about Google, given they’re speaking to you next. Few companies better symbolise how our relationship with data has changed over the past two decades.
When it was incorporated in 1998, Google was a search engine – its mission was to ‘organise the world’s information and make it universally accessible and useful.’
Today, Lanah’s company doesn’t just do search. It also filters news and books, it has a social network, it offers Streetview, calendars, email, analytics, a browser, videos; it does phone software, phone hardware, self-driving cars, and artificial intelligence.
But it’s a good symbol too of how consumers’ attitudes have changed. When the search engine started getting cleverer, remembering that when you Google Oasis you’re interested in the clothes store and not the band, that was helpful. Consumers appreciated it. But when people started seeing adverts on Google for sites linked to places they’d looked for on Google maps, or videos they’d watched on YouTube, some started to feel less comfortable.
Several European regulators have taken enforcement action against Google over data protection issues, including the ICO, notably about unnecessary info gathered as part of the Streetview project.
But I met with Google recently, and they’re setting out their data governance infrastructure, their streams of work to be ready for the GDPR. They’re looking to up their game, and to put in place that culture of commitment to data protection.
The proof, of course, will be in the pudding, but it’s a positive sign. So why the push on this from Google? Maybe they’ve grown tired of regulator action. Or maybe they’ve seen the business advantage of showing customers you’re handling their personal data properly.
Accountability as a business benefit
Because I think it’s clear some businesses will thrive in this changing environment. They’ll be the ones that look at this whole issue with a mindset that appreciates what consumers want. What consumers expect.
Today, many companies think data protection is just about ‘compliance.’ It’s a mindset that says: ‘my job is to meet the legal requirements. As long as I tick the right boxes, we’ll be OK’.
But to meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.
Not just because it’s the law, but because it’s part of basic good business practice, like honest pricing or good customer service.
Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.
That’s the carrot for getting it right. And there’s a pretty big stick too.
I mentioned earlier that the GDPR will increase regulatory powers.
For the most serious violations of the law, my office will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year.
In an ideal world we wouldn’t need to use those sticks, but policy makers are clear that breaches of personal privacy are a serious matter. Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.
And our enforcement powers aren’t just for ‘typical’ data breaches, like laptops left on trains or information left open to a cyber attack. The GDPR gives regulators the power to enforce in the context of accountability – data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.
The future
I’ve spoken a lot about GDPR and what businesses can expect in the future, but let’s acknowledge there is uncertainty too.
The big question is what happens when the UK leaves the EU. The legal relationship answers are for government to give – I’m a regulator, independent of government – but they’ve made it clear that EU law will remain UK law, until the government sees fit to repeal it.
Of course it’s possible that in the years after the UK leaves the EU, Parliament will debate amending the requirements of the GDPR.
If that happens, we’ll be at the centre of any conversations around this, and will be banging our drum for continued protection and rights for consumers and clear laws for organisations. The government will also need to answer the question about whether the UK will seek to keep the UK’s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries. We need strong data protection laws to achieve all that.
This is also an uncertain time because the courts have called into question the transfer of data abroad.
For fifteen years, the European Commission allowed data to be transferred to any US company which was part of an agreement known as Safe Harbor.
That changed in October 2015, when the Court of Justice of the European Union ruled that the European Commission’s Safe Harbor decision was invalid, citing concerns about how the US protects EU citizens’ data from access by US public authorities.
Safe Harbor has been replaced by the EU-US Privacy Shield, which is subject to a review in summer 2017.
While some people believe that the substance of the agreement may be challenged by data protection authorities or through the courts, the advice for businesses is that Privacy Shield is a legitimate basis for transferring personal data to the US. The ICO welcomed the additional safeguards it provided compared to the previous safe harbour arrangement.
It sits alongside other ways of making sure you’re transferring personal data to countries including the US legally – including binding corporate rules and standard contract clauses – all of these options are explained in detail on the ICO website.
Accountability and the future
If businesses are looking beyond the current laws, and are trying to future proof themselves against changing or uncertain legislation, the answer takes us back to accountability. I make no apologies for returning to this. It is that important.
Having the right mindset towards data protection helps to future proof a business. It will put it in the right place to keep up with legislation. And if your clients adopt this mindset, and communicate it, consumers will know the companies are building privacy by design into their products and services, third party arrangements and future uses of data.
Action you can take to prepare for GDPR
Now, I’m conscious I’ve talked a lot about changing business cultures. Many of you are in the room for a lot of conversations around business practices, and I know you are looked to for advice on how to follow the law, so you’re well placed to be putting forward proposals to improve practices. But I know too that this is an intimidating challenge, and it can be difficult to know where to start.
So before I finish, I want to leave you with some practical takeaways. Something you can look at tomorrow so you’re better placed to advise your clients. Something you can look at next week. And something you can look at next month.
So what can you do tomorrow? The ICO’s website has a twelve step plan to help organisations prepare for the GDPR. It sets out advice around making sure key decision makers know the law around personal information is changing, documenting the information the business holds, and reviewing privacy notices.
There’s advice in there too around a few key areas of change in the GDPR, some of which may be relevant to your clients, such as dealing with subject access requests, consent for processing and handling children’s data. It’s only eleven pages, but by the end of tomorrow, it can leave you in a much better position to advise your clients.
Then next week, start getting a more detailed understanding of the new law. The ICO has just published an updated overview of the GDPR. It highlights the key themes of the new legislation, pointing to the similarities with the Data Protection Act, and explaining some of the new and different requirements.
There are sections in there on the principles the act is based on, the new rights enshrined for individuals, and also some detail on the derogations we might see, that allow for different countries to have subtly different laws. It will be a living document, with text added on different points as more guidance is produced, so familiarising yourself with it now, and reading the sections most relevant to your work, lays a solid foundation for offering advice around the law.
And next month, start taking the first steps towards understanding how GDPR expects businesses to put data protection accountability at the centre of their business processes. The overview has a useful section on accountability and governance, and will also point you in the direction of practical advice that should be useful to clients your advising.
I’d particularly recommend the code of practice for conducting privacy impact assessments. These assessments will have a key role to play under GDPR where organisations look at new ways of using people’s personal data, particularly when that involves using new technologies.
It’s sixteen months until the new regulation is in play. The ICO will be here to help along the way. We’ll be producing guidance, as well as working with our counterparts across Europe, who have already issued documents around aspects like data portability and the role of data protection officers. There’s a roadmap of what to expect and when on the ICO website.
As well as the guidance on our website, there’s the helpline I mentioned earlier, and a team dedicated to offering audit and good practice visits. That’s an area of our business we’re expanding to match the changes in the GDPR, building a new assurance function and team that will offer help and support for Binding Corporate Rules for international transfers, audits, accountability reviews and certification.
Conclusion
Because it’s important for all of us that we get this right.
I’ve talked tonight about the sense people have that they are losing control of their data.
As a regulator, it’s one of my jobs to turn that around, to start re-establishing that trust.
The GDPR gives us all greater power to do that. Not just in terms of a bigger sticks for those who get it wrong, but in presenting an opportunity for every organisation to reconsider their data protection approach.
I want organisations to think to themselves: “we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect.”
It’s something, as a regulator, I’ll demand of businesses. It’s something consumers increasingly demand.
I hope after hearing me today you’ll be convincing your clients of it too. And you’ll know where to point them to get them heading in the right direction.