As understatements go, this from Elizabeth Denham, the UK Information Commissioner, takes some beating:
It’s been an eventful few weeks.
As Denham is the woman who’s the last word in data protection in the UK, she’s been at the helm as the Facebook/Cambridge Analytica scandal exploded, weeks before GDPR (General Data Protection Regulation) ushers in major regulatory changes of which all too many organizations seem alarmingly unprepared if the rash of surveys and studies are anything to go by.
Denham has been UK Information Commissioner since July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada and Assistant Privacy Commissioner of Canada. Given that background, the fact that she comes across as phlegmatic about the sudden heightened focus on data privacy is perhaps unsurprising:
You know the saying – may you live in interesting times. That could be a blessing or a curse – wishing that the intended’s life be inflicted with danger and chaos or, as I prefer, opportunity and challenge. However you choose to look at it, these are, indeed, interesting times - and it’s interesting times that provide impetus for change.
One thing is certain. The dramatic revelations of the last few weeks are a game changer in data protection. Suddenly everyone is paying attention - the media, the public, parliament, the whole darn planet it seems. So let me tell you this as someone who has worked in the field of data protection for over 20 years: there has never been a more important time to be involved in data protection.
The elephant in the room of course is Facebook, whose CEO Mark Zuckerberg last week confirmed that while he’s not up for appearing before UK legislators in Parliament, he is ready to let the ICO in the UK conduct its own inquiries into what happened with Cambridge Analytica and report back.
This is important clearly, but Denham is keen to make sure that the debate doesn’t get too narrow in its scope:
It’s been hard to miss the expose of Cambridge Analytica’s alleged use of personal data in election campaigns including information gathered from Facebook. It’s worth remembering that this is one part of our larger investigation into the use of personal data analytics for political purposes by political campaigns, parties, social media companies and others.
Our enquiries involve 30 organizations and, as has been reported, we’re investigating Cambridge Analytica, Aggregate IQ and, since February, Facebook when concerns were heightened. Our investigation will be measured, thorough and independent and only when we reach our conclusions based on the evidence will we decide if enforcement action is warranted.
On that last point, Denham has a very clear view of where responsibilities begin and end when it comes to such enforcement, defining data protection practitioners across all sectors as “not just as a guardian of privacy but as an ambassador for the appropriate use of personal data in line with the law”.
But when it comes to the law itself:
Ultimately it is up to regulators to take action against those that disregard the law.
As of yesterday, there are 46 days until the introduction of GDPR. If that wasn’t scary enough, Denham points out that that actually means 33 working days! So leaving Facebook et al to one side (if that’s possible), there’s a lot going on with the ‘day job’ at the ICO in relation to GDPR:
As a data controller we must be prepared for the GDPR like anyone else but, for the ICO, 25 May means we must be ready to regulate the GDPR. That’s an additional challenge…We’re expecting more of everything. More breach reports because the law requires it in high risk cases. More complaints, because people will be better informed of their rights. Greater engagement as organizations turn to us for advice at the outset.
What’s not on the cards though is a sudden increase in toiugh enforcement, despite all the scare stories about organizations being fined 4% of revenue for GDPR breaches. Denham explains:
Enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.
And any penalities will not necessarily be of the monetary variety, she adds:
When we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organization processing data. None of these will require an organization to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.
As for that rapidly approaching date in May, Denham’s message is not to panic:
For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline. In fact, it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning. This is a long haul journey. But it’s not a holiday. There’s a lot of work to be done along the way.
At the end of the day, argues Denham, it’s essential to remember that data protection policy and regulation should be about people’s best interests:
I believe the public should be and is at the heart of everything we do. It’s why we’re conducting our investigation into data analytics for political purposes – because it’s important that the public is fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy. The GDPR has people at its centre too. It gives people new and strengthened rights that together, and gives people choices about how their data is used, shared and stored.
Common sense, spoken eloquently. Denham is a very, very safe pair of hands at a time when we all stand, as she puts it:
days away from the first day of a new era for data protection.