Saturday 6 August 2011

Taking a more detailed butchers at my breaches

How are you spending your holidays? Relaxing on some faraway beach, or preparing detailed comments on breach notification procedures, so that our friendly Eurocrats have got lots to read when they return from their summer holidays?

I wish it were the former. But I’m currently concentrating on the latter. I’ve really got to get out more.

The eagle eyed among us will know that we were set some homework for our summer holidays, to help devise cunning plans to replace one cumbersome chore (say, the notification of lots of detailed processing purposes to the national regulator) with something else. Let’s hope that this “something else” proves to be of significantly greater value than the process it will ultimately replace.

But I must not get too cynical. Hey, I’ve got to respond to 28 different questions, most of which are asking quite detailed operational queries about a process which has only recently been designed and is yet to be tested to breaking point. The deadline to report on my views (based on actual experience of a working model) is 9 September. Does it matter? Well, if I want to contribute to the creation of an initiative that is actually fit for purpose, then yes it does matter. And it a matters a great deal. I would much have preferred the deadline to be, say, 9 March 2012, so more of us could all actually know what we are talking about, rather than have the debate framed by people who just think they know what they are talking about, but who have never done it, themselves, in practice.

(I used to give conference delegates a practical example of this whenever I spoke about communications data retention. A good number of people were involved in the debate about the retention of communications data records, without them ever actually having seen a communications data record. They were brought up to believe that “traffic” records were “bad”, and should be deleted as soon as the subscriber had paid the bill. So I used to show the “traffic” record during my presentation. I would ask one delegate to hold one end of the (paper) record and I would unroll 30 sheets of A4 paper which had been sellotaped together in portrait mode to print off a single line of traffic data. The delegates soon understood the points I was making, then!)

But back to the plot.

At this special time, at the inception of something that could be quite significant, like developing a compulsory breach notification process, it’s probably time to take time to make sure that the salient issues are actually worked through in practice, rather than just theory. Where is the gathering of data controllers with actual practical experience of data breach management? Where are the opportunities for them to learn each other’s lessons? If one size won’t fit all, then what ranges of shapes should be designed to be capable of fitting in with the new rules?

I was tempted to ask whether many EC regulators had actually bothered asking Communication Service Providers for their input into the new breach notification rules, which most EC Member Stated haven’t yet bothered to implement. But I thought I shouldn’t go for such an easy question. The real question is why most EC regulators hadn’t bothered asking those who will be affected (at least, yet).

But I will offer three cheers for our chums in Wilmslow, who have taken the lead by taking steps to brief themselves on the questions that are being asked internally to the British DP telco and internet honchos. Lots of us want something to work. But, and it is a big but, we need to ensure that we don’t kill off the businesslike working relationships that grease the data protection wheels that drive good compliance in the first place.

What do I mean?

From the regulator’s perspective, I expect that the regulator does not want to change too fundamentally the close working relationship that can provide relatively easy access to the heart of a data controller, and enable them to influence the improvement of data protection standards in a spirit of mutual respect and co-operation. No-one gets much stuff done simply by writing letters opining that it is either “likely” or “unlikely” that, in a particular case, any of the Data Protection Principles were breached. What we really want to do is to focus, at a deeper level, on moving the tectonic plates of good compliance, to make improvements one the macro scale, not just the micro scale.

And from the Data Protection Officer’s perspective, they too don’t want too many tweaks to the close working relationship with the regulator. But, if the DPO is seen as simply an agent of the regulator, then their easy access to the heart of their business could be severely curtailed. And if the business fears the consequences of an improperly implemented piece of legislation, they could distance themselves from the DPO, which will ultimately make it even harder to move those tectonic plates.

In the short run, the individual will be the loser. And I don’t think that anyone really wants that.

So the key will be in how we create a breach notification process which delivers an objective. The objective, surely, has to be to reduce both the likelihood of a data breach, and of the effect that such a breach will have on an individual.

I’ll be popping up to Wilmslow next week, with some chums from the Mobile Broadband Group (ie those who actually operate the networks of cell sites which all of the mobile phone providers use) to continue discussions with the Commissioner’s officials on this very important subject. We are all very painfully aware that, given current economic constraints, the resources that will be put into meeting a breach notification requirement will be diverted from other data protection work. So, we need to make sure that we are jettisoning low-value work to enable us to deliver this type of work. And that we don’t end up jettisoning higher value stuff just to make time to complete paperwork that has no real purpose.

I have questions about the way the Brits are about to implement the domestic rules, as well as some possible solutions that I’ll want to explore over the summer with some chums. Data protection is a collegiate game, and if we really want to reposition those tectonic plates of compliance, then we’ll only achieve success if we are all pushing in essentially the same direction.