As the opening act for the sold-out Data Protection Intensive here in London today, U.K. Information Commissioner Elizabeth Denham set to rest some of the common misconceptions she knows privacy professionals are losing sleep over as the countdown to the General Data Protection Regulation slinks near single-digits. It was perhaps strategic that before she delivered her message, she recalled her decade-long history in speaking to IAPP members as a regulator, presenting a photo of herself dressed in a professional ice-hockey jersey she wore for a light-hearted trivia game at an IAPP conference in Toronto.
The photo, which got a good laugh from the crowd, and the speech that followed, seemed aimed to alleviate and assure: Yes, as a regulator, we are more powerful come May 25. But we aren't sharpening our swords and waiting by the clock.
The approach to data protection, and the enforcement of it, should and will be the same 36 days from now as it ever was: Following the rules is the way to go. But if you fail there, yeah, there are going to be some problems.
"The aim of our office is to prevent harm, and we place support and compliance at the heart of our regulatory action," Denham said. "Voluntary compliance is still the preferred route, but we will back that up with tough action where it’s necessary. Hefty fines can and will be levied on those organizations that persistently, deliberately, negligently flout the law. Report to us, engage with us, show us your effective accountability measures, and if you do, that’s going to be a really important factor when we consider any regulatory action."
Obviously, the regulatory action many in the crowd were likely hoping Denham would address is the Facebook-Cambridge Analytica scandal. But, as things go, regulators aren't keen to comment on open investigations. She did offer that, in all, the ICO is looking at 30 different organizations, social media platforms, data companies, political campaigns and political parties "to pull back the curtain" and be able to understand how the use of personal data takes place in modern political campaigns, in the name of deciding whether the rules of the game are clear, how personal data is being used to micro-target specific populations via advertising campaigns, and what public policy changes the ICO should recommend.
More broadly, Denham said the ICO is preparing itself ahead of the changes the GDPR will bring and the demands they'll place on her staff.
"We are expecting more of everything. More breach reports, more complaints — because people are becoming more aware of their data protection rights — greater engagement with all of you ... I'm leading an ICO that's made up of incredibly committed people who are equipped to meet the challenges and opportunities that lie ahead of us."
But that doesn't mean there isn't plenty of work to do. Denham, whose budget will increase from 24 million GBP to 38 million GBP this year, has now got an office headcount of 520, but expects to increase that to 700 by 2020. Currently, she's got 200 case workers taking in complaints from the public and a 60-strong enforcement group, supplemented by a comparable number working on policy, guidance and assisting the general community. It's assistance that's clearly needed, as well: Denham noted its website's "Guide to the GDPR" has been hit 2.5 million times, and the ICO gets about 2,500 calls per week on its hotline dedicated to assisting small- and medium-sized businesses.
Looking forward, Denham said her office has identified three areas of focus: cybersecurity, artificial intelligence, and device tracking. While she's clear on priorities, what's unclear is where she fits into the new EU regulatory landscape under the GDPR, such as the European Data Protection Board. She couldn't foresee, when she took the gig as ICO, that Brexit was going to pass in June 2016. For now, the ICO is participating fully within EU institutions via the Article 29 Working Party as it creates guidance for eager-to-comply privacy pros. But what happens when Brexit becomes real come March 2019?
Denham's not sure. "Whether that's a seat at the table at the EDPB with voting rights, or some other form of relationship that is acceptable to the U.K. and the EU, the ICO is deeply embedded and committed to the EU regulatory community, and that's the message I've been giving to Parliamentarians."
But details aside, Denham asked the privacy pros in the room to "step back for a moment and remember why we are all doing this." It's about increasing public trust and confidence in the way their data's handled, she said.
"That's a very high priority for me, very high for our office, and I know it is for you too. I think recent revelations in the media have fired up the data protection debate, and so they should. I think across the world, people are beginning to wake up to the importance of personal data. There has never been a better time to be in data protection."
If you want to comment on this post, you need to login.