As we reported back in March the UK is going to have a new Information Commissioner, Elizabeth Denham, who takes over on Monday. We talked in March about her background and the perception of her work in Canada. You can see that alert here – http://www.corderycompliance.com/changes-at-the-top-for-the-uk-data-protection-regulator/.
Likely agenda
What is the likely agenda of Ms Denham? At the end of April 2016 she was questioned by the House of Commons’ Culture, Media & Support Committee (the ‘CMS committee’) in an open hearing. This is the first time that there has been a pre-appointment hearing with any Information Commissioner. The hearing highlighted a number of issues which are likely to be on her agenda:
- Ms Denham said that one of the reasons for her coming to the ICO was the added powers available under GDPR. She said that “it is a high-watermark for data protection around the world”. You can find out more about GDPR in our FAQs here – http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
- She seemed open to the possibility of additional guidance and legislation in the UK to amplify GDPR.
- She said that she welcomed the greater fining powers under GDPR saying “I think that more significant sanctions for bad actors in the digital space is very important, because clearing the bad actors out or getting them to process personal information responsibly is healthy and necessary…”. She said however “I think citizens in Britain, in the UK, in Canada and around the world are increasingly troubled by data breaches. I think the new fines, which … are up to 4% of turnover in some context under the GDPR, are appropriate… my attitude towards oversight and enforcement is you start from a place where you educate, you give guidance, you do audits and it is when things go very wrong and when a company does not have the right attitude towards redress, that enforcement action and fines should come in.”
- She was questioned heavily on the TalkTalk data breach and said that she thought that there should be some director liability and in some cases directors should be held personally responsible for data breaches.
- She said that she planned to reshape the ICO and appoint more senior level positions given that the general registration requirement was going. She seemed to imply that the more junior staff who handle registrations would be replaced with more senior officials after GDPR. She did however say that the lack of notification fees would be a challenge and said “one of my first priorities would be to get a new funding model in place”. She talked about a ‘new information fee’ although no details on what that might be were provided. Clearly the hearing took place before the Brexit vote. We have commented in detail on the effects of Brexit in our film and alert here http://bit.ly/brexfilm. It could be the case that post-Brexit the UK could reinstate registration fees to restore this income.
- She said that the ICO would not be afraid to act in appropriate cases saying “I have crossed swords with some of the largest technology companies and I have not shrunk away or been a shrinking violet…If things are really going wrong and it is affecting the citizens and consumers, then I will use the stick in the cupboard. That is why the stick is in the cupboard…Having those tools in the toolbox is very helpful. If you look at my record you will see that I have used them”.
- She said that she saw scope for the FOI regime being extended into private sector organisations doing Government work saying “if they are standing in the shoes of Government, follow the money. That should be covered in the scope.”.
- Again of relevance to the new powers the ICO will get under the GDPR Ms Denham said that she was a fan of non-consensual audit (sometimes known as dawn raids) and that she understood that the ICO had used the power well against local authorities and the health sector. She agreed with the GDPR approach to expand compulsory audits into other sectors.
Ms Denham’s appointment clearly comes at a time of great change in data protection law in Europe. The early signs are that she will be someone who will not be shy to take a lead.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
The picture of Elizabeth Denham is © Crown copyright and is used by kind permission of DCMS.
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com