DP2017: The Information Commissioner Elizabeth Denham

Elizabeth Denham was appointed as Information Commissioner in July 2016, she previously held the position of Information and Privacy Commissioner for British Columbia, Canada. In her first six months she has led investigations into Yahoo, Camelot, WhatsApp and Facebook.

Speaking for the first time at Data Protection since taking over from Christopher Graham in 2016, Elizabeth Denham says she wants marketers to, "Innovate with data but respect consumers."

She says that, "DMA members are ICO customers - their work is our work. Follow the law and aspire to best practice, and hopefully I can help."

On the GDPR, she says, "This is a once in a lifetime opportunity to get it right. Never have we had the chance to get the attention of our customers, our board."

She went on to discuss the new powers given to the ICO in recent years.

"I stood by the commitment to use our new powers. Since April, we have issued £1.3m in fines, and at least that again in the pipeline. The transfer of TPS to ICO will make complaints more effective to deal with."

Rogue directors

She addressed the idea that directors of rogue companies should be made directly responsible for fines.

"Directors are ducking fines by going into liquidation. This is not a get out of jail card. One director was disqualified for 6 years for taking this route," she says.

"[Minister of state] Matt Hancock announced plans to make directors personally responsible which should happen in spring 2017. This has to be good news. It improves the public image of profession, and removes the bad actors undercutting you. That’s the work the DMA is committed to," she says.

She says the ICO's role is more than just regulation.

GDPR

"I’m often pitching. I want to talk about changes to best practice. And what we can learn from other sectors.

"GDPR is a modernisation of the law. So much has changed since 1985. Personal information has to be properly looked after and the law needed to change. It just took a long time.

"GDPR contains new obligations for organisations and there is a toughening or strengthening around consent. Businesses will have to prove they have it if they rely on it. Pre-ticked boxes are not valid consent. Will publish new guidelines in early March," she said.

Another important part of the GDPR changes relates to accountability.

"What is in the GDPR is a shift in focus. New legislation creates an onus on companies to understand the risks on others and to mitigate those risks.

"We have to move away from a box ticking exercise, and build it into business culture. This means taking account of what customers expect. The DMA [code] creates a higher standard than the law requires. Customer-business relationships are a value exchange and the benefits of getting this right are greater than legal compliance. Who doesn’t value customer trust?

"Think about surprise minimisation," she says.

"What are people expecting you to do with your data? It’s not just about having having a good privacy policy but knowing you won’t change your mind later," she says.

Fundraising

The Information Commissioner explained the recent spate of fines for fundraising activity. "Our investigations were into practices to encourage donations, but not around PECR, not about whether they had permission to make calls, but serious contraventions of the data protection act.

"These contraventions undermined the fundamental privacy of donors. Wealth screening. I’m talking about buying and selling lists of donors like they were a commodity," she said.

"Using personal data and ranking them based on what they earned would put them off donating in the first place. That’s the point," she said.

"If you can’t justify what you are doing with your customers’ information, it’s unlikely you are working within the law."

Consumer trust

She drew these different threads together to discuss the, "Bigger picture - people I talk to have never been more aware of their rights. But consumer trust hasn’t followed that. I’ll be asking organisations to do that, and put accountability at the centre of their practices.

"This includes the attitudes of your service providers. Earlier this month we fined a list broker because they didn’t tell people how they information would be used. We want to make more action against the bad actors in this sector," she said.

Brexit

For what happens when the UK leaves the EU, she made it clear that any decisions would be made at a governmental, not regulator, level.

"The legal relationship is for government. But they have made it clear that EU law will remain UK law. Until the government repeals it.

"Parliament might debate amending the GDPR. We and the DMA will bang the drum for continuing consumer protection. We need strong data protection laws. I don’t expect the laws around consent to be loosened any time soon."

She had one final piece of advice for those working with data:

"What can I do? We have just published updated an overview of the GDPR, explaining some of the new provisions. These guides will help businesses adapt for 2018. They will include guidance on consent, profiling, contacts and liability. Also the guidance from counterparts from Article 29.

"Don’t put this off. The GDPR will be in play on 25 May 2018."