Sergey Nivens - Fotolia

Brexit has thrown ICO plans into flux, admits information commissioner

The ICO is working to ensure that the UK's post-Brexit data protection law is progressive, stands up to scrutiny and provides stability, says information commissioner Elizabeth Denham

The UK’s information commissioner has admitted that the European Union (EU) referendum result has thrown the data protection plans of the Information Commissioner’s Office (ICO) into a state of flux.

Breaking her silence on Brexit and the EU data protection regulations, Elizabeth Denham sought to reassure UK business and clarify the ICO’s strategy in her maiden speech at the Personal Information Economy (PIE) 2016 conference in London.

“I do not believe data protection law is standing in the way of your success. It’s not privacy or innovation – it’s privacy and innovation,” Denham told attendees of the conference organised by digital economy business consultancy Ctrl-Shift.

“The personal information economy can be a win-win situation for everyone. Get it right, and consumers and businesses benefit,” she said. 

However, Denham emphasised that consumer trust is “essential” to achieving growth and can be best achieved by following the law and following the principle of privacy by design to build the considerations for privacy into projects from the beginning.

Noting that an ICO survey in the first half of 2016 revealed that only one in four UK adults trust businesses with their personal data, she said that if three-quarters of customers are suspicious about a business’s  methods, that business would be in trouble.

Denham, who has worked as a regulator of privacy rights and information access for more than 12 years in Canada, said one of her main aims is to stay relevant to citizens and consumers.

“The fundamental objective of my five-year term as commissioner is to build a culture of data confidence in the UK,” she said, noting that privacy law can give both consumers and business a lens through which to assess the opportunities and threats of a new technology or approach.

Consumer fairness and business confidence

Denham said the ICO is looking to UK companies to lead the way and would like to hold companies up as examples of how privacy and technology can work for consumers.

“The ICO will do its bit by focusing our advisory, education, investigatory and enforcement work on consumer control, transparency and fairness,” she said, but warned that the ICO has powers to issue fines of up to £500,000, which could rise to 4% of a business’ global turnover.

“In an ideal world we wouldn’t need to enforce [fines], but we will use the stick in the cupboard when necessary. Remember it’s not just about the money – it’s about your reputation too, with your customers, the public and in the media spotlight,” said Denham.

To help boost confidence in organisations’ use of personal data, she said the ICO is building on its capacity for technology by analysing and researching more, and embedding technology into the future of the ICO.

“We are also seeking partnerships with universities and we aim to support research into privacy by design solutions. I am creating a position of chief technology advisor to help with this, and extending the technology team by hiring talent,” she said.

Read more about digital economy

The ICO will choose its investigations carefully to make sure they are relevant to the public, said Denham, so that the results can cascade across a sector.

“Technology is at the forefront of most of our major investigations – on Friday 23 September, we stepped in to ask questions about the Yahoo data breach involving eight million UK accounts,” she said.

“We are also currently reviewing data sharing between WhatsApp and other Facebook companies – all of this is about transparency and individual control.”

Denham warned that the ICO expects to see organisations taking responsibility for their actions, despite the pace of technological change, saying it is up to individual businesses to understand the risks they are creating for others, and to mitigate them.

“The exponential opportunities of data give you a position of power and with that comes great responsibility. If you want to innovate using personal information, you need to take that responsibility seriously,” she said.

GDPR and building trust

Denham said while the EU referendum result had made her job more challenging, the ICO is well-prepared and will continue to provide advice and guidance around the EU’s General Data Protection regulation (GDPR).

Denham said it is “extremely likely” that GDPR will be live before the UK leaves the EU. “The GDPR is already in force, it is just that member states are not obligated to apply it until 25 May 2018,” she said.

Denham said all UK companies that want to do business in the EU will have to comply with the GDPR. She added that the major shift in the law is about giving consumers control over their data, which ties in with building trust and is also part of the ICO’s philosophy.

“No matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy,” she said.

“In a global economy, we need consistency of law and standards – the GDPR is a strong law and, once we are out of Europe, we will still need to be deemed adequate or essentially equivalent.”

When the UK leaves the EU, which is likely to be 2019 or later, a new data protection law will need to be in force, said Denham.

“I’m having active discussions with ministers and senior officials in government, and have transmitted our view on the future of data protection law,” she said.

“We believe that future data protection legislation, post Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public.

“The aim here is not a data protection regime that appeals because it is overly lax or ‘flexible’. The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe,” she said.

While regulators generally do not lobby, and ultimately work with the law government provides, Denham said when the conversation is about the future of data protection in the UK, the ICO is determined to be part of that conversation.

“We have 30 years’ experience as a regulator in a changing environment. We don’t want to talk legislative minutiae, but to look at the key principles that should underpin the future of privacy law in the UK,” she said.

Read more about data protection

Read more on Privacy and data protection