Data protection 2016: Information Commissioner

In his final address to the DMA's Data protection conference before he steps down, the Information Commissioner Christopher Graham laid out the current and upcoming challenges for those working in data

Christopher Graham steps down from the post of Information Commissioner in June, "It's time to go when you find you are renewing your bus pass," he said. "At the end of June I’ll decide what to do next."

Graham has steered the data regulator through the tremendous rise in the trading and usage of consumer data. "I could see that digital was disrupting the ad industry in a good way. There is the importance of data protection as a sound platform for good things to happen," he said.

Powers

The ICO has not been static and in the last year has won more power from government.

"A thank you to DCMS - this time last year I was fretful. We could see nuisance but it wasn’t enough - we had to show distress to make a successful prosecution. Then the government changed the law and since then we have been motoring. Now we just have to show that the rules have been broken by the cowboys. It’s no longer catch us if you can.

"We are in a strengthened position to do this," he said.

Giving the example of a firm that called consumers during the middle of the night, winning a substantial fine from the ICO, the Information Commissioner explained the threats to businesses going about things the wrong way. He said, "It’s not just a question of whether that business complies with the law, but whether it has long term potential for growing a brand".

GDPR

However, the ICO is currently limited to imposing a fine of £500,000. Under the GDPR, the limit is raised substantially to €20 million or 4% of global turnover, whichever is the greater.

Graham referred to the fines as "eye-watering" and said, "The sky’s the limit for enforcement. This is getting serious."

Penalties vs behaviour

"I have never been one to get off on civil monetary penalties," he said. "There is a much more powerful driver coming from consumer behaviour - what the consumer wants drives all this.

"We’ll deal with the rogues. Practitioners who want to get things right are more interested in setting good practice and sticking to it - that’s the business. You can make a quick buck but at real consequence to your reputation.

"The time, energy and money needed to rebuild consumer confidence can be as severe a punishment as any fine," he said.

Asbestos

Graham warned, "We used to think that digital is the new oil. It’s also the new asbestos. You have to manage those new opportunities," he said.

"I know you want us to work against the fly-by-nights who get in the way of the direct marketing business. This doesn’t mean you are home free.

"In many ways, by asserting you are doing things properly, the fall could be even greater. Don’t just talk the talk, but walk the walk," he said.

Charity fundraising

On the subject of the upheaval in the charitable sector over the summer of 2015, he said, "Who would have thought that some of our leading charities could so tarnish their own brand by going over the top and not managing what the fundraisers were doing. Consumer behaviour pulls everyone into line," he said.

He cited the steps made in the Etherington Report, but also that charities including the RNLI and more recently the British Red Cross have decided to take a much closer look at their fundraising.

"Charities need to get on the front foot before the ICO comes knocking on the door. The clever thing to do now is to get several jumps ahead of the sheriff," he said.

Steps to take now

Graham advised delegates to look at the existing legislation first, which will be a great starting-point for the GDPR.

"Get it right with PECR and the data protection act and you won’t go far wrong. There are more obligations and more process, even for me as a regulator. Your problem is complying with the rules as they are at the moment. If you work on that, you won’t go far wrong," he said.

The five Es

Graham says the ICO has a mantra - the five Es:

• Enforcement - their primary function to enforce the legal obligations
• Education - to help data controllers know they are behaving correctly
• Empowerment - of citizens and consumers to assert their rights under the current law and DGPR
• Enabling - the power of digital can deliver wonderful services in so many areas of the public or private sector
• Engaged - with what’s going on and technological developments - watching out for what’s happening

"We are not just there as a policeman but as a guide," he said.

Privacy Shield

"We are waiting for the text on that. President Obama signed the Judicial Redress Act, to give EU citizens the right of redress over actions taken in US," he said.

In the absence of a working alternative, he reassured delegates, "We are not charging around looking to enforce against people who relied on Safe Harbour. We are working hard to make sure the new arrangements coming in to place are convincing," he said.