The Information Commissioner on GDPR

At the Institute of Directors Digital Summit, Information Commissioner Elizabeth Denham spoke about the upcoming GDPR regulations…

Here are my notes of her speech:

“I look out into the audience and the burning question in my mind is how are you doing with GDPR compliance?

I don’t need to tell anybody in this room how much the world has changed. We have an infrastructure that was unimaginable. Whether you’re into Britney spears or Boyzone I doubt any of you imagined you’d have a computer in your pockets that could download your favourite track.

The fuel for powering these services is big data. Vast data sets. What makes up these data sets? Very often its personal data — the statistics that your fitness tracker recorded, the information on your insurance form.

Gone are the days what data protection was a back office deal.

The ICO needs to work to keep up with technology. Our AI report recently won a major award. We’re a tech savvy regulator

We want fair accurate and non-discriminatory use of data

Under the new data protection reforms we’ll improve the standards through the use of privacy seal and certification programmes. We’re currently investigating how political campaigns used data analytics and social media to influence people. It’s important that there is greater transparency about the use of such techniques. We have to ensure that people have control of their data and how it is handled.

The law needs to keep up with these changes too. Next year the GDPR comes into direct effect in UK.

It brings new obligations for organisation, e.g. around reporting breaches and transferring data across borders. But the real change is in understanding the new rights it brings consumers.
It brings greater accountability, transparency and consumer control.

Individuals have stronger rights to be informed about how organisations use their data. They’ll have the right to demand it is deleted or removed if there is no compelling reason for its use.

What comes next is the Data Protection Bill, which will put in place the final pieces of modern data protection. It’s essential to securing the public’s trust of the use of information.

When I speak to regular people, they aren’t concerned about legislation or GDPR. They want to know ‘is my personal information safe? Who’s protecting my rights?’

The end game is about increasing the trust that the public has in how their data is used. I will always standup for the rights of UK citizens. It’s what our mission is.

I recommend a quick read of our Information Rights Strategic Plan. It commits us to exploring innovative and agile ways to achieve transparency and good data governance.

Innovation in the digital economy relies on consumer trust.
Innovation in government relies on citizens trust.

This is a good point to talk about the Royal Free/Google Deepmind project. In that case innovation took priority over privacy. My office ruled that they failed to comply with the data protection act. They turned over 1.6m sensitive patient records to be part of scientific research. There was a lack of transparency for patients. There’s no doubt about the huge benefit that data can bring to health research. But there’s no reason innovation can’t work alongside good protection of privacy.

The protections in GDPR will prevent you from driving too far down a wrong road that could be damaging and costly.

Be pioneering, but don’t sacrifice people’s legally-ensured fundamental rights in the name of innovation.

We’re seeking to engage with companies to see how we could build a regulatory safe space or sandbox where companies can test their innovations that could help with ‘privacy by design’

This is evolution rather than revolution. It’s not the next Y2K. It’s also an opportunity for business. If you look at this with a mindset that appreciates what consumers and citizens want, committing to manage data sensitively and ethically, then compliance will follow.

Digital advances will make our lives richer and support businesses to thrive.
I’m a regulator here to protect citizens, but i’m not here to rain on your umbrella, but I do suggest you take an umbrella.”

These are my notes of the speech given to the IoD by Elizabeth Denham, the Information Commissioner.

Since this post the ICO has posted the transcript of her speech.

We’ll soon publish our GDPR guidance for Service and Product managers. Make sure to follow us on here, or on twitter at @weareconvivio to get your copy when we release it.

Convivio is a digital agency that brings people together using technology.

We deliver major digital services for government and large organisations.

Find out more at

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.