Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference on 5 May 2021

Original script may differ to delivered version.

Good morning, and welcome to the ICO’s Data Protection Practitioners’ Conference 2021.

This is one of the dates in my diary that I always look forward to, and this year it is an especially timely reminder of how my work is just a small part of a bigger community.

One of the professional challenges I’ve found during lockdown is that it can be easy to feel you’re working alone. To be hunched over a document about SCCs or DPIAs, and feeling as though you’re trying to hold back the tide. I know from talking to several of you that you have felt the same way.

And yet in the past year we have dealt with bigger issues than ever before, and responded to questions more quickly than ever before.

As a community we’ve proven our resilience. And we’ve shown that a pragmatism, coupled with a principles based law, can adapt to the circumstances of the day.

In the face of high stakes and high pressure, we have all raised our game.

It’s easy to forget that when we’re seated at our dining tables, or at makeshift home offices.

It is four years since my first DPPC in 2017, and I remember being struck then by the level of expertise and insight in the room.

I spoke in my keynote that day about how data protection had moved from a back office function to being a career that has a real impact on the world.

After my speech I was talking to people in the queue for a coffee. I was struck by how many of you understood already the impact our profession has, and were already making a real difference.

And so I hope today can be a reminder that we are part of a community. It is a brilliant community that day in, day out, protects people’s rights and enables responsible innovation and business growth.

In my 2017 keynote, I also spoke about the support the ICO could offer the data protection community. How could my office support you as you made the case within your organisations for a greater understanding of data protection, and the benefits it offers?

I hope we have delivered.

I hope you have seen me as a champion for your role, and telling the C suite that they need to know who their DPO is, and know how important they are.

I hope you have seen in the guidance we have produced that we are asking the question of ourselves: ‘does this speak to the reality that data protection practitioners face?’.

And I know you will have seen the practical steps we’ve taken. In preparation for our DPO panel session later this morning I spoke with Helen from Tesco Bank. I was struck by a comment she made to me. She said the ICO’s accountability framework resonated with her. It seems to be a tool that had been produced with her job as a DPO in mind. I heard that as very high praise for the ICO!

Today’s event is another way we support the data protection community. I hope it is thought-provoking and inspiring, but most of all I hope it is practical.

We don’t get to welcome you to Manchester today, but this digital event does mean we get to welcome so many more of you.

We have 2,500 already logged on today, and I’d expect that number to grow across the day.

We have a busy agenda ahead, so I’d like to start the day with a story. A modern drama, in homage to Shakespeare, whose Globe theatre I’ve walked past so many times on my daily exercise during lockdown.

It is a story of trust and sleights of hand, of successes and failures, of tragedy and of hope.

I so want to introduce it as Much Ado About Data, but I’ll try to resist the temptation.

Act One of the drama sets the scene. It’s the late 2000s. Social media is established, but Facebook is still used mainly by young people. Twitter is starting to become popular.

Alongside that, businesses are starting to see the benefits of innovative use of personal data. Data can personalise services, get the right ads in front of the right people, even create entirely new products.

For the first time, the technology is available to handle the volumes of data needed to match companies’ ambitions. The companies need just one thing: the data itself.

It is a time, unfortunately, when data protection professionals rarely get invited to the important meetings, or asked their view on how data can be gathered.

And so we reach the first piece of drama. A sleight of hand. Some organisations decide that once they have someone’s personal data, they can treat it as their own. It’s a business asset. They gathered it, or bought it, or compiled it, or curated it, so they take a view that the data belongs to them, to do with as they please.

Consumers largely don’t realise, or at least don’t care. But that sleight of hand will define the rest of the drama.

And I know from experience that being a data protection professional was a different role then, with a focus on data leaks and accidents. My own experience was dealing with the aftermath of a cabinet of mental health records being left behind in a soon-to-be-demolished Calgary hospital. The ethics of data collection, and certainly of early digital innovation, rarely came across the data protection officer’s desk.

We move to Act Two. At first everything is fine. As the years tick by, the companies happily gather huge amounts of data, and prompting innovation that benefits business and society alike. Customers like the personalised services, and the free content, and the health apps, and the ways to connect with friends and families around the globe.

But Act three brings a problem. Some people are starting to ask what happens to their data.

We hear questions like ‘Why do I keep seeing hotel advertisements after I’ve just bought an airline flight?’

‘How are social media companies making so much money when they don’t charge me a fee for their service?’

Or more fundamentally, ‘Does this company, or even the government, know too much about me?’

I’m sure many of you have been asked these questions. Privacy is now mainstream. Those of you who have been in the profession for a little while will recognise that people are finally interested in what we do – saying you’re a data protection regulator isn’t the conversation killer it once was!

That interest does come with a growing cynicism. A cynicism from customers who feel their information is being misused or monetised without their say. A mistrust of government innovations around data.

That is a real concern. The obvious benefits of data-driven innovation, in both the public and private sectors, rely on trust. We’ve seen that clearly over the past year, from contact tracing apps to data sharing to help vulnerable people who are shielding.

The example dominating the headlines now, of domestic vaccine certificates, is another good example. The success of any COVID-status scheme will rely on people trusting it, and that means people having confidence in how the scheme would use their personal information.

It is a topic that I’m sure we’ll hear more from when Dawn Monaghan talks about NHSX’s work over the past year.

What stood out to me as the ICO offered our view on the contact tracing app was the focus of the app developers across the UK’s devolved nations on privacy. The developers were considering fair data use at an early stage, and explaining how the app used data. There was an real recognition of the value of public trust and engagement.

There is simply not an option today for any organisation, private or public sector, to say ‘how we use data is complex, this service is important, so just trust us’. And that applies as much to COVID-status certificates as it does to social media companies or app developers.

Back to our story. You’ll recall we heard how the businesses enjoyed the years of benefits from the ubiquitous use of people’s data. But now people have noticed the result of that sleight of hand that saw companies treat people’s personal data as their own asset, to use as they like.

A swell of objection has shifted the power balance.

So what happens next?

Is this story one of Shakespeare’s tragedies? Are the data-guzzling businesses the tragic hero? Have they aspired to innovation glory, but fallen short because of their fatal flaw in not appreciating the need for people to buy into their vision?

Or is there a more positive outcome. Is the conclusion one of compromise and of appreciating others’ views?

Crucially, that final act is still unwritten.

And you – the UK’s community of data protection professionals, help shape how this story ends.

And I hope my office can help you, especially today.

We have a fantastic agenda ahead of us, and an afternoon of seminars offering expert, practical advice on the areas you told us you most wanted our support.

The focus is on what my office can offer you.

It is your data protection community that shapes the ending to the data drama.

It is you who explains data use to customers when an innovative project is launched. You explain the rights consumers expect to the people within your organisations who are developing projects. And you demonstrate the value good data protection brings to business.

We will support you every at every stage to find an ending where society benefits from the incredible opportunities data-driven innovation brings...

...supported by people trusting their data is being used fairly, lawfully and transparently.

That is the ending where I believe society wins.

Thank you.