Ms Jennifer O'Sullivan:

Our relationship with these big multinational technology companies is multifaceted. At the hard edged enforcement side of it, we have our statutory inquiries that are open. I mentioned that we have not considered those to be investigations, which give us more powers, and we have not used unannounced inspections in those inquiries to date. The nature of the engagement with these companies on these particular statutory inquiries is quite formal. There is a significant amount of correspondence which relates to the fair procedure that we must adopt in these inquiries. Ms Morgan mentioned the right to be heard, the requirement for these organisations to be allowed to make submissions at the various stages of the investigation, and it is quite a formal written type of engagement when we are engaging with them in that context.

Separately, the GDPR introduced a requirement whereby where an organisation is considering introducing new processing that requires personal data to be processed, it must carry out a data protection impact assessment and it must mitigate the risks that are associated with that. If it finds that it still, for business or whatever other social reasons, wants to carry out the processing in the future but it has not been able to mitigate all of the high risks, it is obliged to come and speak to us. That is a different kind of engagement, which is quite formal in its own right.

Separately, we engage quite formally with these organisations when we receive intelligence, media reports or submissions that are brought to us, I suppose, in a pre-inquiry stage. That kind of engagement would be a combination of the following kinds of dialogue: in-person meetings; written correspondence; and us reviewing submissions they make to us on the matter.

We would have other reasons to meet them. Perhaps they want to give us an update on their general data protection activities. Particularly in the lead up to GDPR, we would have had several meetings with the big companies in that context whereby they wanted to give us an update on their preparations for the GDPR. Those would generally have been in the context of meetings where we had a discussion with them. They might bring to our attention new products that they were considering or that were further down the line, and we would have that kind of engagement with them in that context.