Sunday, 29 October 2017

Briefing paper to Peers in advance of the Committee Stage of the Data Protection Bill in the House of Lords [30 October 2017]

Your Lordships
This bill has been eagerly awaited by data protection professionals, whose careers depend on its successful passage.
Please don’t worry too much that the bill is so very hard to understand. It's the Government’s way of ensuring that a select band of privacy professionals will be offered very significant salaries to decipher its contents and recommend ways of complying with the key provisions.
The General Data Protection Regulation, which this Bill aims to compliment, but dare not copy out, was also a wasted opportunity to develop laws that the majority of those who were to be affected by them might understand.
Its complexity will also fuel countless debates over the coming years in obscure (data protection-related) internet chat rooms over precisely what the text means, and whether data protection regulators (in the UK’s case, it’s the Information Commissioner) have (a) agreed with their view and (b) bothered to embark on any enforcement action against those that disagree with their view.
Many organisations will not realise just how the legislation affects them, so they will not take steps to develop or improve their data protection practices. To be frank, most organisations I know will not be able to comply with all the requirements even by the end of 2018, even if they’ve already commended their compliance programme. 
And, with regard to those that have not commenced their preparations yet, even if their management were to take the decision today that they should take steps to comply, there’s no way that they could meet the May 2018 deadline (the date when regulators are able to commence enforcement action against offenders). This is because the vast majority of experienced data protection professionals (those that have a reasonable understanding of the requirements) are already fully engaged with other clients.
Regardless of what amendments are accepted today, in a few months time the focus will move from what the statute will say to how it will be enforced. The legislation in itself is unlikely to influence to a significant extent how many data controllers will change their current behaviours.
What will really matter is what guidance will be issued by the ICO, and what enforcement action will be taken against the miscreants.
Just as the value of an investment can rise or fall, the fact that the ICO has been seen by many data protection professionals as a pragmatic, open and engaged regulator in the past does not guarantee that it will continue to adopt a pragmatic and engaged stance in the future. The personality of the person occupying the post of Information Commissioner will be key, as will the resources that are available to the ICO to meet the demands that will be placed on it.
Using a phrase adopted by a previous Information Commissioner, the ICO has, in the past, aimed to be selective to be effective. Whether, in times of extreme public sector cuts, it can continue to recruit and retain the right calibre of staff to enable it to continue to be as effective is an open question. In the short term, I doubt it.
If the new legislation is to have much credibility, it needs to be enforced. It is my hope that the legislation will be enforced, because that will highlight the fault lines that exist. It will expose the difficulty that so many organisations will have in evidencing how they comply with all aspects of the law. It will clarify the areas where compliance is unduly burdensome and, in most respects, a practical impossibility.
Because it is only when the faults in this bill are exposed that a coherent business case will be developed to replace it with proposals that are far fitter for purpose.
The UK has passed data protection legislation in 1984, and 1998, and it will do so again in 2018.
I would not be surprised to see another Data Protection Bill before Parliament by 2024.