Premium

Elizabeth Denham's iron-clad regime on data protection is proving watchdog can have teeth

Elizabeth Denham, the UK Information Commissioner
Elizabeth Denham, the UK Information Commissioner Credit: Paul Cooper

Of the handful of Canadians who occupy big jobs at the heart of British public life, Mark Carney is by far the best known.

Since his appointment in 2013, the Bank of England’s ice-hockey playing Governor has loomed large, offering frequent pronouncements on everything from monetary policy to climate change, from Brexit to widening social inequality.

In terms of policy, however, Mr Carney’s contributions have been modest. 

Despite presiding over countless meetings of Britain’s Monetary Policy Committee, in his six years at the helm the Bank’s single most powerful policy lever - its ability to raise and lower interest rates - has barely been touched.

Since his predecessor slashed them from 5.75pc in 2007 to 0.5pc in 2009, UK rates have moved only rarely and in tiny increments.

Now, as Carney prepares to pack up his office in Threadneedle Street in January 2020, it is fair to ask a simple question: could Britain’s other Canadian regulator, Information Commissioner Elizabeth Denham, end up having a longer lasting and more meaningful impact?

Until this week, to make such an argument would have been a stretch.

From toothless tiger to growling T-rex

A trained archivist from British Columbia, since taking up the role three years ago Denham seemed to be happy living the quiet life at the ICO’s somewhat unlikely headquarters in Wilmslow, Cheshire.

Her boldest move was last October when she slapped a £500,000 fine on Facebook for failing to protect the data of 87m people which had been harvested by Cambridge Analytica. 

For Facebook, which generated revenues of $55bn from advertising last year, the fine barely amounted to a pinprick.

This week, however, Denham seems to have undergone a metamorphosis from toothless regulatory tiger to a growling T-Rex. 

On Monday and Tuesday, the ICO came out all guns blazing, firing off two fines totalling £282m in two days on BA and Marriott International for breaches linked to cyber-hacks of the personal data of millions of their customers.

Armed with tough new powers linked to the introduction of the EU’s new GDPR data privacy rules last May, there is reason to believe that Denham is only just getting started. 

Indeed, she may be reloading her regulatory revolver right now.

The ICO’s annual report, published on Monday, hinted that Cathay Pacific, another airline which suffered a cyber-hack of the details of 9.4m passengers in November 2018 could be next in the firing line.

If chief executives hadn’t known who Denham was a week ago, they sure as hell are sitting up and paying attention now.

Denham’s assault is just the start

Under the old regime, fines for data breaches had been capped at £500,000, but after the introduction of GDPR regulators are now able to fine companies up to 4pc of global turnover.

As well as offering a windfall to HM Treasury, which will scoop up the proceeds, the ICO’s fines are sending shockwaves through the corporate world as bosses recalibrate the risk of having inadequate cyber-security measures.

For years, many have got away with a slapdash attitude towards data protection. That era is now over.

The hacks of Marriott and BA exposed the personal data of 500m customers and 380,000 passengers worldwide.

Denham’s subsequent fines of £183m on BA and £99m on Marriott are a sign of the changing regulatory environment and serve as a stark warning to companies that fail to protect private consumer data from loss, damage or theft.  

Naturally, they will boost compliance and trigger a torrent of investment into cyber-security.

But Denham’s assault may be just the start of a new iron-clad regime on data protection - not just in the UK and Europe but in other countries including the US.

Several US states are preparing to impose privacy laws, led by the California Consumer Privacy Act, which could end in far bigger penalties for non-compliance.

The California rules, which are due to be introduced in January 2020, allow for fines of between $2500 to $7500 per individual offence, meaning penalties could quickly escalate to staggering levels in the event of a large-scale cyber-hack.

Other states are considering similar steps.

For executives looking aghast at the big fines announced by Elizabeth Denham this week, it is worth bearing in mind they could be peanuts compared to what may be coming down the line.