tashka2000 - Fotolia
Innovation is not sustainable without public trust and confidence, according to UK information commissioner Elizabeth Denham.
“The EU General Data Protection Regulation [GDPR] is really about people, and about taking people with you as you develop services; it’s about accountability and transparency,” she told analytics and other data professionals at a DataIQ event in London, where she was named most influential person in data-driven business for 2018.
“I think all of you know that, and you are exemplar companies that I deeply respect for consulting with our office and doing the right things by the data subjects,” she said, “to build the trust and confidence that is essential for innovation in products and services.”
Denham said she has been inspired by the UK’s leadership in innovating with data and services while reflecting the values of respect and accountability through the responsible use of data.
“The UK government has committed to retain the highest data protection standards, because they understand that if we are going to have an industry that is sustainable, you need to take people along the way, so the trust and confidence is really important,” she told Computer Weekly.
If a brand loses trust and confidence, it will not be able to innovate, and people will switch to other suppliers, said Denham. “Consumers care deeply about the trust they can place in organisations to tell them what is happening with their data, to secure the data and to use it responsibly.”
But despite the UK’s leadership position, not every organisation understands the importance of consumer trust, she said. “But there are enough exemplar companies and leaders saying the same thing, so the message is definitely getting out there.”
That said, Denham indicated that the Information Commissioner’s Office (ICO) will continue to push the message, but expressed frustration that she is unable to “give a shout out” to the companies that are doing this extremely well.
“But we will find ways through our grants programme [launched in June 2017] and other initiatives to recognise the leaders in the data field,” she said, adding that the UK’s leadership in getting the balance between right innovation and privacy is one of the things that attracted her to the job of information commissioner.
Other initiatives that give organisations the opportunity for recognition will be programmes developed with organisations such as DataIQ to recognise privacy ambassadors, who are doing good work in areas such as privacy by design, but an ICO-backed GDPR certification programme is a top priority.
The certification programme, currently under development, will enable companies and organisations to gain recognition for good data protection practice, said Steve Wood, deputy commissioner for policy.
He said certification is likely to be done through ICO-accredited third-party bodies and can be a way for companies and organisations to demonstrate that they are taking data protection seriously, even going above and beyond the base requirements for compliance.
The ICO plans to consult widely around certification in 2018 and will begin publishing its planned approach, with the programme currently expected to be in place some time next year.
Asked why the certification programme was not on track to be up and running sooner, Wood said certification is not a GDPR requirement from 25 May 2018, so the ICO has been focusing on core requirements, such as having a data breach notification mechanism ready for the compliance deadline.
“Also, certification is new to the data protection industry, therefore quite a lot of work has to be done about how we set the standards for how the accreditation process will work,” he said. “In five years, it will be a really crucial part of what the ICO is doing, but it is going to take time to build up.”
In her speech at the DataIQ 100 event, Denham said that a year ago, most organisations were gripped with fear and trepidation about compliance with the GDPR. “But it seems like there has been a turning point since then, with a new attitude, and what I hear is acceptance of the GDPR,” she said.
“Beyond that, leading companies are not just thinking about compliance, but demonstrating commitment to putting the data subject – the customer, the consumer, the citizen – at the centre of services, which is what the GDPR is really all about.
“It is about taking people with you as you develop your services and your data analytics. It’s about accountability and transparency – and leading companies and organisations understand that.”
Not an accurate picture
Asked whether she is disappointed that less than half of UK businesses and charities are aware of the new data protection laws, according to a government-sponsored poll conducted four months before the GDPR compliance deadline, Denham said the poll does not give an accurate picture of the uptake of GDPR compliance, and on the positive side, the numbers are going up.
“The numbers are going in the right direction, but when it comes to the millions of really small and micro organisations, many of those companies have very few employees, and they may not be aware of all kinds of laws – the GDPR aside,” she said.
“However, for companies that are data-driven, they certainly know about the GDPR, and the latest surveys show that the companies that are fairly far along in terms of GDPR preparedness, are mostly data-driven companies. So those companies that really need to know about the GDPR are getting the message, but the corner garage that is fixing cars might not.”
For the past year, said Denham, the ICO has been focused on education to raise awareness and understanding of the new regulations, and giving organisations the tools and guidance they need.
According to Wood, the Guide to the GDPR published by the ICO in 2017 has been downloaded more than two million times.
Whenever there is a new law, said Denham, it take time for the jurisprudence and interpretation to settle in. “And even before we have reached the compliance deadline, there is a lot of guidance available,” she added.
Wood pointed out that the ICO has even published draft guidance on things like consent ahead of European-level guidance.
“We are saying that consent is clearly a high standard, and it is moving to an opt-in culture, but we have set that out in the draft guidance, so there is no excuse for organisations to wait before taking action to move away from the old way of doing things,” he said.
“They need to think about it positively, because a high standard of consent is going to result in good-quality data and translate into a higher level of trust from customers.”
For leading companies, however, Denham said the changes introduced by the GDPR will not present much of a problem because the regulation simply upholds the good practices that these companies have been following for some time already. “In a way, the GDPR is catching up to where customer and individual expectation are,” she said.
EC adequacy ruling
An adequacy ruling from the European Commission on the UK’s data protection capabilities is the aim of the UK government’s decision to align coming UK data protection law with the GDPR as closely as possible, to ensure the unhindered flow of data between the EU and the UK post-Brexit.
However, Privacy International and other rights groups have repeatedly raised the issue of indiscriminate bulk data collection that is allowed under the controversial Investigatory Powers Act, which they believe is a potential stumbling block in any adequacy ruling by the EC.
Asked whether the ICO is working with the UK government on this issue, Denham said the ICO is consulted by, and is advising, the government and parliament on various scenarios and challenges around frictionless data flow post-Brexit.
“We are certainly in the mix, and I have appeared before various committees in the House of Lords and the House of Commons talking about the issue, which is challenging because the [Brexit] negotiations have to deal with data, but they have to deal with a lot of other policy areas as well,” she told Computer Weekly.
“But the fact that data underpins so much activity, both in the commercial and the law enforcement sectors, has the attention of government. So they are looking at it very seriously and they have sought our advice. But at the end of the day, the decision about adequacy is the EC’s decision and it is based on a comprehensive review of all the laws relating to data.”
In March 2017, Denham told the House of Lords EU Home Affairs Sub-Committee that having an adequacy finding in place soon after Brexit is challenging, but she said the UK government may be able to negotiate a transitional arrangement. Avoiding a “cliff edge” at Brexit, she said would be in everybody’s best interest.
Failing such a transitional arrangement, she said companies will have to rely on standard contractual clauses and binding corporate rules to ensure data flows continue between the EU and UK until an adequacy finding is achieved.