On February 23, 2018, Elizabeth Denham, the Information Commissioner for the United Kingdom (“U.K.”), gave a speech at the Direct Marketing Association’s (“DMA”) Data Protection 2018 event outlining her plans for enforcing a number of upcoming changes to the privacy regime in the European Union (“EU”). While stressing that her office wouldn’t hesitate to take “tough action” to protect consumers from businesses that fail to meet or ignore their legal obligations, Denham nonetheless outlined a pragmatic approach focusing on “[e]ducation, engagement, [and] encouragement” before resorting to enforcement.
In her speech, Denham told those attending the DMA event that her office (the “Information Commissioner’s Office” or “ICO”) was prepared to handle the shifting landscape of EU data protection regulations. Denham referenced several advancements from the past year, including her publication of “myth-busting blogs” that “set the record straight” on various issues related to the General Data Protection Regulation (“GDPR”), set to take effect in May 2018, as well as the provision of “targeted resources,” such as a dedicated GDPR helpline that Denham said fields 1,500 calls per week.
Despite the progress made by the ICO, Denham stressed that there was still work to do to ensure regulated entities comply with the new rules. Stating that the ICO is a “pragmatic regulator,” Denham reassured attendees at the DMA event that “hefty fines will be reserved for those who willfully or persistently flout the law.” Thus, while support, education and guidance will be at the core of the ICO’s enforcement posture, Denham made it clear that the ICO will not hesitate to take “tough action” on those who spurn the new rules.
Denham acknowledged that safeguarding innovation was important and that the ICO would commit to “exploring innovative and technologically agile ways of protecting privacy.” Nonetheless, Denham asserted that her office “will also reserve [its] strongest sanctions for breaches involving novel, technological approaches that present a high degree of intrusion into people’s privacy.” But she added that the ICO also aims to be a “leader” on the implementation and oversight of the regulatory reforms and that, to reach those goals, the ICO also needs to focus on protecting consumers and advancing public trust in the way that companies handle personal data. As part of that task, Denham called on entities doing business in the U.K. to continue to cultivate “a collaborative approach and work together with the ICO to develop baseline educational messages” that will help to both “raise awareness” about data protection reform and “increase trust in a data-driven world.”