momius - stock.adobe.com
The Information Commissioner’s Office (ICO) is working in a new age of data protection, according to information commissioner Elizabeth Denham.
The UK and other governments around the world fully recognise that personal data is the fuel that powers so much of what makes the economy, home life and public services function, Denham told the Direct Marketing Association (DMA) Data Protection 2018 event in London via video link.
“I am currently in Wilmslow with my team preparing for an unexpected parliamentary appearance,” she said. “It is complex and important and I need to give it my full attention.” She gave no further details.
While the EU’s General Data Protection Regulation (GDPR) is an essential piece of legislation in the new era of data protection, it is just part of the picture, said Denham. “The [UK] Data Protection Bill brings the GDPR into UK law and tackles some of the details over which we have discretion,” she said.
“And Brexit, of course. My office is fully engaged with government and others about proper protection for consumers, certainty for businesses and strong, independent oversight of the law.
“And that’s not all. You have to add in the law enforcement directive, which sets out how we will tackle crime across borders, and the NIS directive, which sets out reporting rules for organisations that suffer a cyber attack.
“And, of course, the one you’ll all be waiting for, the e-privacy regulation, which sets out rules for direct marketing via phone, text and email.”
Until the e-privacy regulation comes into force, the current Privacy and Electronic Communications Regulations (PECR) will sit alongside the GDPR, which means electronic marketing will require consent, said Denham.
“Yes, there is potential to use legitimate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it,” she said. “It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent.”
Marketers are concerned that the new regulations will result in the loss of customers, but Denham said she believes the new rules will bring better engagement with customers, enabling marketers to be better able to direct more targeted marketing to them. “You will have complete confidence that your customers have given informed consent,” she said.
The GDPR gives people new rights, said Denham. “In total, there are eight individual rights and, together, they give people choices about how their data is used, shared and stored,” she said.
But if people do not know they have these rights, they will not know how to exercise them, she said, and if they remain uninformed, companies could “play fast and loose with the law”, knowing that they are unlikely to be tested, which is why the public cannot be forgotten.
However, Denham said people could be drowning in educational material from all the organisations with which they have a data relationship, and those organisations could be duplicating effort because they are tackling the same issues of awareness and understanding.
“There is an alternative,” she said. “And that is for UK organisations, public and private alike, to take a collaborative approach and work together with the ICO to develop baseline educational messages about data protection reform for UK citizens. Messages that will help raise awareness, but also increase trust in a data-driven world.”
Denham said there had been an “extremely positive” response to the ICO’s invitation to work collaboratively. “Work has been progressing at pace with true cross-sector participation [including the DMA] to get messages and materials prepared that you can refer to or use directly in your own communication activities,” she said.
She noted that despite the fact that the GDPR compliance date of 25 May 2018 is fast approaching, the mood among data-handling organisations is more settled because their preparations for GDPR are well under way, making the new laws seem less daunting.
“Some organisations are beginning to embrace the GDPR,” said Denham, “seeing it for the opportunities it presents rather than the perceived barriers it throws up.” She urged organisations to make use of the continually growing sector-specific guidance available on the ICO’s website.
This guidance will soon include an overview of the Data Protection Bill in response to feedback from UK organisations that the coming legislation is complex and confusing, and tools specifically aimed at micro businesses employing fewer than 10 people.
Denham said the ICO will provide details of its new regulatory action policy in April, setting out the ICO’s commitment to exploring innovative and technologically agile ways of protecting privacy, strengthening transparency and accountability and protecting the public in a digital world.
“It sets out our approach to help create a regulatory environment where data subjects are protected and businesses are able to operate and innovate efficiently in a digital age,” she said. “These two must go hand in hand – privacy and innovation.
“Support, education and guidance is at the heart of our regulation, but it is backed up by tough action where obligations are not met or ignored.”
Denham pointed out that the more serious, high-impact, deliberate, wilful or repeated breaches can expect the most robust response. “We will also reserve our strongest sanctions for breaches involving novel, technological approaches that present a high degree of intrusion into people’s privacy,” she said.
In conclusion, Denham said she had spoken a lot about change, progress and growth – “how we all need to do things differently to meet the requirements of data protection reforms”. She added: “But you have to take the people with you. This is change. This is change for the good.”