seem a little comfortable in this spot, it’s perhaps
because only three days ago I was right here
welcoming people to our 2018 data protection
Why we are here
security and data privacy have always been linked.
Privacy depends on security.
modern data protection principles include an
obligation to protect personal data. And security
has been recognised in every significant
codification of data protection, including the
current Data Protection Act and the upcoming EU
General Data Protection Regulation.
the pace and scale of the UK digital economy,
combined with the new legislation, is reshaping the
digital landscape in which my office operates. Over
the past year, my office has increased its focus on
cyber security, to the extent that we now view it as
the spine running through all of our work.
before I talk about the cyber security community –
the focus of today’s conference - I want to share my
thoughts about the current data protection
landscape, as it relates to everything cyber.
protection and cyber security
hope I am not being optimistic when I say that
everyone in this room is aware of the seismic
changes taking place in the realm of data protection
at the moment.
course, there is the GDPR, coming in just a few
weeks, and the Data Protection Bill that sits
alongside the GDPR and tackles some of the details
over which the UK has discretion. Add to that the
law enforcement directive, which applies to police
and other competent authorities about how we’ll
tackle crime, the revised e-privacy regulation,
which sets out rules for electronic direct marketing
and, of course the NIS directive under which the ICO
is the competent authority for the UK for digital
service providers. That’s quite a list.
new data protection reforms can be summarised in
three main areas - transparency, control and
law requires you to be transparent and tell people
what you will do with their data.
then have to stick to what you said.
is the strengthened part of the law: you should be
prepared to account to your customers and the
regulator for what you have done.
new legislation also makes “data protection by
design” a legal requirement, as well as the use of
data protection impact assessments.
ICO has promoted privacy by design for years, and
there’s plenty of guidance on our website. But in
this context it means building data privacy and
security into every part of your information
processing, from the hardware and software to the
procedures, guidelines, standards, and policies that
your organisation has or should have.
remember: security is a boardroom-level issue. We
have seen too many major breaches where companies
process data in a technical context, but security
gets precious little airtime at board meetings.
left solely to the technology teams, security will
fail through lack of attention and investment. These
companies may have the best policies in the world –
but if those policies are not enforced, and personal
data sits on unpatched systems with unmanaged levels
of employee access, then a breach is just waiting to
understand that there will be attempts to breach
your systems. We fully accept that cyberattacks are
a criminal act.
we also believe you need to take steps to protect
yourself against the criminals. The malicious kid in
his bedroom who hacks into your system just because
he or she can. Or the opportunist thief who
understands the value of the data you hold and knows
how to get their hands on it.
Talk Talk and Carphone Warehouse implemented
rudimentary protections attackers would not have
gained access to their systems. If NHS systems had
been patched and up to date, they would have been
protected from WannaCry.
just shut the door. Lock it. Then check the locks.
And be mindful about who you allow to have a key.
Deputy Commissioner for Operations James
Dipple-Johnstone addressed this conference yesterday
with more practical details.
Building a community -
today’s conference is called “building the cyber
would like to discuss that, with one caveat: where
you say community, I say communities.
play an active role in building and maintaining four
equally important communities of practice and
am going to talk about each of them in turn.
community - how we work with other countries
threats can come from anywhere in the world, and we
work hard to enhance privacy protection for the UK
public, no matter where the source of those threats.
the European Union, we co-operate across all areas,
including activities related to the internal market;
justice, freedom and security; and police and
ICO is part of the EU’s Article 29 Working Party on
data protection matters, and we supervise and
support data protection in a variety of contexts,
including law enforcement, customs and immigration.
whilst the final legal relationship between the EU
and the UK is one for the politicians, there is no
doubt that achieving a treaty arrangement or an
adequacy decision with the EU represents the
simplest way of ensuring the continued frictionless
flow of data between the EU and the UK.
there is equally no doubt that having domestic laws
that achieve a high standard of data protection and
are broadly consistent with EU ones will be a
also build and maintain networks and partnerships
around the world, from multinational action groups
(such as UCENet – 27 countries working together to
tackle unsolicited marketing messages) to regular
information exchanges and joint research.
UK protective community - how we work with other
regulators and official bodies
Taking a step closer to home: as I said before, we
have a role to play in the Government’s commitment
to making the UK as the safest place to be online.
there is no sole authority for cyber issues in the
UK. As the UK’s independent data protection
regulator, we work alongside the National Cyber
Security Centre, the NCA’s Cyber Crime Centre, DCMS,
Action Fraud and other agencies as and when
course, to be effective we need to coalesce and form
agile, multi-disciplinary partnerships. Which is why
we are developing co-working practices and, where
appropriate, memoranda of understanding with these
are aligning our playbooks and testing them through
the national exercises. We are co-ordinating our
communications, guidance and incident responses with
them, so that we can respond to large-scale data
example, the NCSC co-ordinated the national response
to the Equifax breach, and the ICO was involved as
the regulator. But for Uber we lead the
co-ordination and the NCSC acted as technical
of course, anyone who heard James Dipple-Johnstone’s
speech here yesterday knows that we set out the GDPR
security outcomes from the cyber incentives review
with NCSC and DCMS.
Government and regulatory bodies are working
together in a way which, I believe, is unmatched
anywhere in the world.
believe this partnership, bringing cyber-security
agencies and those who uphold information rights,
serves the public.
UK business community - how we work with you
Coming even closer to home, I now want to talk about
how we work with you: the businesses and
organisations of the UK.
want to empower you to take ownership in finding the
right approach and the right balance between cyber
and data rights. We want to recognise these who have
significantly influenced their organisation,
culturally and practically.
our conference this week it was my great honour to
award our first ever ICO practitioner award for
excellence in data protection.
award recognises the increasingly vital role played
by professionals working in the sector, and the
winner was Esther Watt, Data Protection Officer (DPO)
at North Kesteven Council in Lincolnshire, who was
chosen by an independent panel of five judges from
more than 100 nominations.
I’ve already said, the government is committed to
making the UK the safest place to be online.
keeping individuals safe online shouldn’t invoke
panic in terms of your obligations. I have spent a
lot of the last year busting some data protection
myths, and reassuring organisations that our
approach as a regulator is not to fetter innovation,
whilst making sure it’s still hard for criminals and
chancers to thrive online.
office appreciates the challenges you are working
under today because we face the same challenges.
Budgets are tight, technology is moving fast and
there’s a race to keep up with competitors. But data
protection law needn’t be onerous if you adopt
privacy by design and sound cyber security at the
outset of your projects.
of the myths I have worked hardest to dispel is
around data breach reporting under the GDPR.
probably know this by now, but it’s always worth
repeating: you will NOT need to report every single
personal data breach to the ICO.
you will have to report a personal data breach if
it’s likely to result in a risk to people’s rights
and freedoms. And you must do that within 72 hours
of discovering it.
should all by now be developing a sense of what
constitutes a serious incident in the context of
your data and your own customers. You also need to
consider whether a breach triggers notice, not just
to the ICO, but to affected individuals as well.
have taken steps to make reporting a breach simple,
effective and efficient. Call our breach reporting
line and you’ll get a human response – and our focus
will be on working with you, and bringing in whoever
else we need to involve, to help you make the right
decisions in those crucial first few days.
it all, tell it fast, and tell the truth. Work with
us and you will find the ICO to be a proactive and
proactive regulator, we recognise that innovation is
essential in the digital economy. We are
establishing a ‘regulatory sandbox’, for you to
develop innovative digital products and services,
whilst engaging with us to make sure the right
safeguards are in place.
part of the sandbox process we will advise you on
mitigating risks and data protection by design. The
sandbox is in the development stages to be launched
internal community - and yours
finally there’s an often overlooked, but utterly
essential community: our own people.
modern regulator in a technological environment it
is our duty to continually invest in our technology
and staff. You have a right to expect us to stay
relevant in the context of a dynamic digital world.
agree: which is why upskilling our staff is now a
core component of the ICO’s strategic goals. Through
our information rights strategy and our new
technology strategy, we are aiming to build a new
cohort of in-house experts, by:
Developing new technology training programmes
for our staff.
Introducing an ICO apprenticeship scheme,
focussing on cyber security.
Expanding our in-house laboratory.
And as I have a captive audience I want to push
this one: running a secondment scheme, offering
your colleagues the chance to learn valuable new
skills and to experience life in a different
context. More on that on our website.
Digital economy is the fastest growing area of the
UK economy. But, whilst new technologies bring new
opportunities, it’s the people designing, creating
and managing them that count.
Low-tech breaches are frustratingly common in our
enforcement work. So many of the breaches we
investigate are down to human error.
it’s here that building your internal community can
really pay off.
data protection officer, your chief technology
officer, and your chief information security
officers should never be strangers. They may not be
BFFs but they need to get along and respect one
another’s briefs. Cyber-security is a team sport.
Your board should approach every decision with an
awareness of its impact on the security of your
technology and information assets.
if you build internal coalitions with privacy and
security at their heart, then you will have taken an
enormous step towards being the trusted leaders of
of our focus today, let’s remember why we’re doing
this – people. Increasing the public’s trust and
confidence in the way their data is handled.
is a priority for me and my office I hope – I know –
this is a priority for you.
revelations of recent weeks involving Facebook and
Cambridge Analytica and others have been a wake-up
call. People care about what happens to their data.
Defending their information from attack is your
battle – it must be one you are prepared to fight.