Fines key attention to data privacy from boards, says ICO head

Elizabeth Denham, the U.K.’s information commissioner and chair of the Global Privacy Assembly, a body that aims to coordinate best practice and enforcement among data regulators worldwide, believes without the threat of significant fines, executives would simply not bother thinking of privacy—and particularly cyber-security—as a risk issue boards should be concerned about.

“Fines get directors’ attention, drive better behavior, and are an invaluable tool for any regulator,” Denham told attendees Tuesday at a Webinar on the need for privacy regulation organized by the International Association of Privacy Professionals. “How can you regulate without fines?”

Under the U.K.’s previous Data Protection Act 1998, maximum fines were capped at £500,000 (U.S. $700,000)—a figure few believed changed the behavior of many major companies toward better data protection.

But in the run-up to the EU’s General Data Protection Regulation (GDPR) coming into effect at the end of May 2018, companies complained compliance costs in preparation had rocketed, “as if there hadn’t been any national legislation in place beforehand.” said Denham.

The Information Commissioner’s Office (ICO) issued 17 penalties totaling approximately £42.4 million (U.S. $59.2 million) last year, with three GDPR fines against British Airways, Marriott International, and Ticketmaster accounting for £39.65 million (U.S. $55.4 million) of the total.

Denham believes there is “no doubt” increased awareness of the need for better privacy protection is attributable to the GDPR’s ability to hit companies with a maximum penalty of up to 4 percent of global turnover for serious non-compliance.

While a more tangible threat of meaningful enforcement has pushed data privacy onto a board’s risk agenda, Denham also pointed out there are still significant barriers to achieving the level of data protection and best practice regulators want to see.

One of the key problems, she said, is that some concepts around data privacy are either not well-defined, not understood, or not practicable.

For example, said Denham, there is a challenge globally about what constitutes—or should constitute—“consent.” The term “lacks meaning and is not scalable,” she said, citing as a notable example cookie consent (where users give a Website their permission to track and process their personal data, ostensibly to improve the service—though, not necessarily).

Denham suggested there needs to be a push globally by data regulators toward establishing what “consent” actually means, what it involves, and how it can be enforced. She added that a certification process to ensure compliance might be more appropriate as a way forward.

More generally, Denham is in favor of better coordination among data protection authorities to achieve a globally similar view of privacy; consent; and enforcement, possibly through standards. She hopes the Global Privacy Assembly will do more to push for this.

Denham also highlighted new challenges data regulators face in the aftermath of the pandemic.

She said there is a “very real danger” organizations that have been given “privileged” access to sensitive data, particularly health and medical records, are going to be reluctant to face any kind of data restrictions or attempts to scale back access over fears doing so prevents innovation.

Consequently, the ICO—and other EU data authorities, she suggested—will need to have “deep conversations” about the “beneficial” uses of peoples’ data during future national or global crises.