October 10, 2016

Elizabeth Denham delivered her fist speech as UK Information Commissioner at an event in London on 29 September 2016 where the digital and personal information economy took centre stage.

In her opening remarks Ms Denham said: “One of the things I want to be clear about today is that I do not believe data protection law is standing in the way of your success”.  She also reminded her audience that: “It’s not privacy or innovation – it’s privacy and innovation”.

Transparency, trust and progressive data protection were Ms Denham’s key points.  She spoke of Brexit and the GDPR and how the two will fit together, saying that the GDPR is extremely likely to be live before the UK leaves the EU.  Therefore, the UK will have to comply.  She reminded her audience that the GDPR is in fact already in force, it is just that Member States are not obliged to apply it until 25 May 2018.

The GDPR brings in new elements, Ms Denham said, and, “a more 21st century approach”.  The right of consumers to data portability is new, as is mandatory data breach reporting, higher standards of consent, and significantly larger fines for when companies get things wrong.  However, she said, the major shift in the law is about giving consumers control over their data.  This “ties in with building trust and is also part of the ICO’s philosophy”, Ms Denham said.

Ms Denham acknowledged that legislative change brings nervousness, but, she said, “it also brings opportunity”.  Having stronger data protection laws and enforcement is aimed at “inspiring public trust and confidence”, she said and the GDPR is “an incentive to improve your practices, to sharpen things up, and encourage organisations to look at things afresh”.

When the UK leaves the EU, in 2019 or later, a new data protection law will need to be in force, Ms Denham said, in order to ensure that data can flow to and from the EU.  To this end, Ms Denham said she is having “active discussions” with Ministers and senior officials in government, and has transmitted the ICO’s view on the future of data protection law.  “We believe that future data protection legislation, post Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public”, Ms Denham said.

The aim, Ms Denham continued, is not a data protection regime that appeals because it is overly lax or “flexible”.  The aim is “a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with Europe”.  To read Ms Denham’s speech in full, click here.