Information rights and responsibilities, with the Information Commissioner
Thank you for that kind introduction.
Forgive me for being a bit of a tourist. You may be aware that my office is based in a small town called Wilmslow in Cheshire. So even though I am often in the capital, I haven’t developed my London Cool, yet.
I still find it remarkable that, just this morning, for example, when I am essentially on my way into work,
I walked past landmarks that millions of people travel across the world to see. Trafalgar Square, St Martins in the Field, the National and Portrait Galleries. And, of course, just a stone’s throw from these rooms, Buckingham Palace.
Queen Victoria was the first monarch to live there. And today is the anniversary of her state funeral – 117 years ago.
So long ago, and yet that time – and the 60 odd years before it – are synonymous with progress, reform and innovation.
Fitting then that as February 2 1901 marked the end of that era, I am here to talk to you about the beginning of another.
On 25 May – a mere 112 days away – the General Data Protection Regulation comes into effect.
It is the beginning of something new, but it is an evolution of what’s gone before. It builds on what was good about the Data Protection Act and brings it in line with our 21st century world.
GDPR rebalances the relationship between individuals and organisations.
It gives greater control to people about how their data is used and it compels organisations to be transparent and account for their actions.
As individuals, most of us applaud a stronger framework. As heads of agencies, some of you may have a different view.
Those organisations that thrive under the new rules will see the GDPR as an opportunity to commit to data protection and embed it in their policies, processes and people.
Those that merely comply, that treat the GDPR as another box-ticking exercise, miss the point. And they miss a trick.
Because this is about restoring trust and confidence. Only one in five people in the UK trust organisations to look after their data. That’s not good enough.
The GDPR is an opportunity to reset the equilibrium.
But the GDPR is just part of the reform. The government’s Data Protection Bill brings the GDPR into UK law and tackles some of the details over which we have discretion.
You may like to know that the ICO will shortly be publishing an overview – a road map if you like – to help organisations navigate the Data Protection Bill.
But there’s more. Add in the law enforcement directive, which sets out how we’ll tackle crime across borders, the NIS directive, which sets out reporting rules for organisations that suffer a cyber attack, and the e-privacy directive, which sets the rules for direct marketing via phone, text and email. That’s quite a substantial suite of data protection changes.
My office is working in a new age of data protection. Where this government and others around the globe have recognised that personal data is the fuel that powers so much of what makes our economy, our home life, our public services function.
The UK is a leader in data protection – it’s one of the things that attracted me to this job – and the government has made clear its intention that we retain our world-class status as well as making the UK the safest place to be online.
That’s a huge challenge for my office. But we have to deliver.
I am strengthening my team in number and expertise and we’re moving the ICO to a place where we can deliver our new responsibilities and obligations to organisations and, importantly, the public. Earlier this month Treasury has provided the ICO pay flexibility for the next three years – this is critically important to be able to retain our expert staff and attract new technologists, lawyers and auditors.
We’re expecting more of everything. More breach reports because the law requires it in high risk cases. More complaints, because people will be better informed of their rights. Greater engagement as organisations turn to us for advice at the outset.
And technology is not standing still. I’ll be honest – we’re still figuring out how we’re going to carry out some of our functions.
Things like auditing algorithmic decision making and tackling some of the ethical issues around AI and machine learning that sit just outside the letter of the law.
The ICO is up to the challenge. In the last year or so we have addressed issues about the way charities handled the personal data of their donors and supporters. We are currently looking at Universities for similar practices. We’ve taken action with some of the biggest names in tech – Google, Facebook, Yahoo.
And you may know my office is currently investigating the use of data analytics in political campaigning particularly around the EU Referendum.
I started my role two weeks after the referendum vote – I had not anticipated the massive impact the result would have in politics, society and debate. Since my arrival, there has been a strong focus on what will happen post Brexit. Data protection is a significant policy area in Brexit negotiations.
How will personal data flow freely to ensure we can continue to trade, undertake medical research or execute our law enforcement responsibilities when we are no longer part of the European Union?
I am in close dialogue with government and others about proper protection for consumers and citizens, certainty for businesses and strong, independent oversight of the law.
So it’s against this backdrop that I speak to you today. And what do I, as the regulator, expect from you?
Well, by now I hope your preparations for the GDPR are well underway. That you’ve put in place key building blocks to ensure your organisation implements responsible data practices.
I won’t ask for a show of hands …
Look I know you know about data protection. You’ve been doing it for years.
This is your strength. But it could also be your greatest weakness.
Sometimes when I speak to the private sector, I can sense the panic, but also the incentive to get it right. So many businesses feel like they are starting from scratch – it’s one of the reasons why we’ve set up helplines and targeted resources to help them prepare.
Sometimes when I speak to the public sector, I can sense complacency. Because you know data protection. It’s been part of the furniture for years.
Now it’s time to redecorate.
This is a critical time to refresh your policies and processes, to upgrade your staff training and revisit your approach to data protection.
The tone has to come from the top. This is about commitment over compliance.
It is up to you and your boards and your leadership teams to foster a culture of transparency and accountability as to how you use personal data.
Equip your staff with the training and tools they need to get data protection right. Demonstrate to them that data protection is not a box-ticking exercise but a commitment to people that you will handle their personal data with care and respect.
You have a head start. Our last survey showed that people in the UK are more likely to trust public bodies with their personal information than private companies.
That’s something to build on.
And this is probably a good time to mention accountability. This is the most important aspect of the GDPR I believe.
The new legislation creates an onus on organisations to understand the risks that they create for others, and to mitigate those risks.
It’s about moving away from the paperwork of privacy, and instead, working on a framework that can be used to build a culture of privacy that pervades your entire organisation. Putting people in the centre of the design of your services, and particularly in the adoption of new technologies.
But this shift in approach is what’s needed. It’s what consumers and citizens expect.
The benefit for you is not just compliance but also providing an opportunity to develop the trust of the people you serve in a sustained way.
Soon I’ll be publishing a blog setting out what I think are the building blocks – the essential steps – for developing accountability in an organisations. Things like leadership, responsibility and due diligence.
The GDPR mandates organisations to put into place comprehensive but proportionate governance measures.
Good practice tools that the ICO has championed for a long time –
such as data protection impact assessments and privacy by design – are now legally required in certain circumstances.
Let’s talk about resources – something else that sets you apart from the private sector. I know they are tight. The ICO is a public organisation too so, believe me, I understand the constraints.
But I ask you to consider the risks. Think of the true cost of a cyber breach, for example.
It will cost you money but it will also cost you your reputation, trust, social licence. This is collateral damage.
Yet most cyber breaches and attacks are preventable. The high profile attacks on TalkTalk and Carphone Warehouse would not have happened if they had put rudimentary protections in place. And if NHS systems had been patched and up to date, they would have been protected from Wannacry.
We make a mistake if we throw up our hands and worry about state sponsored attacks – we know those are rare.
You should be worrying about the malicious kid in his bedroom who hacks in to your system because he can. Or the opportunistic thief who understands the value of the data you hold and knows how to get his hands on it. Because you left the door wide open.
Soon we will launch our first ever technology strategy that sets out our plans for the future.
It’s one of the commitments I made in the ICO’s Information Rights Strategic Plan – my priorities for my five year term.
Technological advances and privacy rights can work together to create true trust and data confidence.
And for practical help, look out for new guidance that we’ve written with the National Centre for Cyber Security to published soon.
So, there’s a lot for you to be getting on with.
And what can you expect from me?
Well, the ICO is a risk-based, proportionate regulator. Yes the GDPR gives me greater sanctions and tools for those that flout the law – those that play fast and loose with the personal data that’s been entrusted to them.
But there is a carrot as well as a stick. And I have always preferred the carrot.
At the ICO we love an e-word. Yes enforcement is in there – but it comes after education, engagement and empowerment.
We want you to get this right. Because if I am to achieve my aim of improving public confidence in the way their personal data is handled then I have to take defensive action. Prevention is better than cure.
We’ve provided a whole suite of resources on our website – guidance, checklists, sector-specific FAQs – to help navigate through the new law. We’ve just published some useful advice for local authorities about reporting personal data breaches.
And our guidance around using Public Task as a lawful basis for processing was published a few days ago.
And we offer more than the written word. We run voluntary audits to check you’re on the right track and to identify weaknesses or red flags before they cause real problems. No strings and it’s free.
And we’re developing a so-called sandbox, a safe place for companies and public bodies to test the data durability of their innovations.
I will say to you what I have said over and over again – did you know today was Groundhog Day, by the way?
I am going to repeat myself in honour of the occasion – it’s not privacy or innovation, it’s privacy and innovation.
You can expect that the ICO will uphold the law and that I will stand up for the rights of UK citizens.
While there will be no grace period – you’ve had two years to prepare – I know that when 25 May dawns, there will be many organisations that are less than 100 per cent compliant.
This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair.
Enforcement will be proportionate and, as it is now, a last resort.
Data protection is a critical part of ensuring you have the social license to innovate with data – you have to take the people with you.