Who: Christopher Graham, UK Information Commissioner
Where: Osborne Clarke, One London Wall, City of London
When: 2 December 2015
Law stated as at: 2 December 2015
In his keynote address to Osborne Clarke’s 17th annual “Look Back, Face Forward” marketing law forum, UK Information Commissioner Christopher Graham (the “IC”) spoke on the topic:
“What should UK marketers be doing now to prepare for new EU data protection laws?”
The first thing the IC emphasised was that the new measure was not yet finalised. The Luxembourg presidency had done a great job in moving things forward, but the IC expected the Dutch presidency to finally get the new General Data Protection Regulation (“GDPR”) over the line by Easter 2016.
The new law would then come into force two years after all the formalities, such as the required translations into all languages, had been completed.
Whatever the final content of the GDPR, it would be an important re-assertion of privacy and data protection as fundamental human rights.
ICO will go into “advice and guidance mode as soon as new laws finalised
Once the new measure was signed off, the ICO would go heavily into “advice and guidance” mode, so as to help businesses prepare.
Also, it was already clear from all the GDPR drafting process that once it was in force, the ICO would also have to do a lot more in the area of “process”, such as data breach notification administration.
Currently, “process” was not necessarily a key feature of ICO’s day to day activity, so this would require considerable change.
Notification is dead, long live notification!
Against that backdrop, a big challenge that ICO faced under the GDPR was the loss of £18m revenue as a result of the scrapping of the notification regime.
However the IC was confident that in its place would come a notification scheme by another means.
So all those processing personal data should not think that they are no longer going to have to register with the ICO. The IC must have a list of who is doing what with personal data.
Also, if a business’s raison d’etre is processing personal data then it is going to have to pay a big registration fee.
So what should UK marketers be doing now to prepare for the new laws?
Marketers should not hang around until the music stops
The IC advised marketers strongly not to “hang around until the music stops” and the GDPR is finally signed off.
If any business needed a wake-up call to get their house in order now under existing data protection laws, the GDPR was that call.
Also, it was already clear that the eight main data protection principles would not be changing, so businesses should dust every one of these down and ensure their businesses were fully compliant.
Some businesses still do not “get” data security
One of these guiding principles was of course the data security principle.
Thanks to recent events involving spotty youths in Ballymena, Norwich and Llanelli, it was clear that no matter how many times the ICO had emphasised the importance of this principle in the past, this was still not enough for some.
And with public tolerance of these issues stretched to breaking point, businesses should be fearing screaming headlines on the front page of national newspapers just as much as the ICO’s increased enforcement powers, not to mention the business they will be at risk of losing as a result.
“Big data” is not a game played by different rules
On “big data”, the IC appreciated that this had fantastic potential for businesses, but he underlined that when it came to data protection, “big data” was not a game played by different rules.
One example was use of big data for nuisance marketing, where the IC was on a crusade against nuisance phone calls.
Just last week the ICO had imposed fines totalling £250,000 on three firms, two of which were based in Dorset.
The grand total of fines so far imposed for nuisance calls, under both the Privacy and Electronic Communications Regulations 2003 and the Data Protection Act, had now passed £2m and more cases were in the pipeline.
Safe harbor itself has not been struck down
On safe harbor, the IC said that the CJEU judgment in Schrems “called into question” safe harbor, nothing more than that.
The court had struck down the EC “adequacy” decision regarding safe harbor, not safe harbor itself.
Therefore his message to businesses transferring personal data to the US was “don’t panic.” Although safe harbour was not currently valid for EU-US personal data transfers, solutions were being actively pursued.
Custodial penalties? Just a matter of “pressing the start button”
On enforcement, the IC said that he would continue to lobby for the courts to have the power to impose terms of imprisonment for criminal breaches of data protection and electronic communications laws.
The statutory underpinnings and mechanisms were already in place for this, so it was just a matter of “pressing the start button” to make this happen.
Why this matters:
This was a vintage performance from the Information Commissioner: robust, direct and pulling no punches on the key issues UK marketers should be aware of and addressing as they head towards the end of the millennium’s second decade and face a time of unprecedented regulatory change.
Whoever takes his place, Christopher Graham will be a tough act to follow; Osborne Clarke wishes him well in whatever incarnation awaits him after June 2016