Friday, 7 August 2015

Why are so many privacy professionals driven to despair?

Why are so many privacy professionals driven to despair?

Don’t worry. It’s not that unusual for privacy professionals to be driven to despair by the demands of their job. It’s just a mindset that most of them go through when business “requirements” and legal “restrictions” continually clash.

As Tom Fletcher, the UK’s former Ambassador to the Lebanon recently put it: “You think you’re reached rock bottom – then you hear a noise from below.”

But there is hope at the end of the tunnel. That mindset can pass, to be replaced with a more productive phase of professional life.

Tom Fletcher recently blogged about the eight stages of his (professional) life. Seduction. Frustration. Exhilaration. Exhaustion. Disaffection. Infatuation. Addiction. Resignation.

He knew them all, often simultaneously.

I’ve known them, too.

The work of a privacy pro isn’t easy, when you’re dealing with clients who have little concept of current data protection requirements, let alone the added complexities that are being contemplated by those that are currently negotiating the compromise text of the General Data Protection Regulation. But why should the negotiators care about complexity? Hardly any of the people currently involved in the tripartite discussions will ever have a job that actually requires them to implement it. Many will simply move on to reaching consensus in other policy areas.

Talking about it is not the same as doing it.

So, and as apparently happens so often with Lebanese politics, the tripartite negotiators can needlessly overcomplicate issues with layers of conspiracy, creative fixes, and intrigue. They can undermine leaders working in the national interest of Member States, rather than the collective interest of the EU. And they can proclaim that there is no substitute for this unrelenting, maddening, political process.

Roll on 2016 when, in a fit of exhaustion, something will be churned out of the EU’s legislative sausage machine, and hordes of consultants can feast for years thereafter. Whatever finally emerges is unlikely to significantly enhance the privacy of the average EU citizen – but it ought to significantly enhance the bank balances of the armies of consultants who will be called upon for guidance as to which elements of the Regulation should be implemented, and how, and which bits can be safely ignored, and why.

But why do I care?

Simply because I care about the implementation costs. When most small and many medium-sized businesses can barely begin to demonstrate compliance with the current rules, my eyes roll when I think of the difficulties that they will face in coming to terms with the new rules.

Of course the larger organisations will do what it takes to remain on the right side of their regulators – assuming, that is, that the regulators have a large enough stick to require compliance. Under-resourced regulators will be left in the unenviable position of being held accountable for not enforcing the new rules. They’ll be blamed for allowing some businesses (and some public sector bodies, no doubt) to get away for years with shockingly poor data handling standards.

Perhaps my current mood will improve when all the privacy pros return from their summer holidays.

I do hope so.


How to cope: