Thursday, 17 May 2012
A DPA debacle facing SMEs?
Interestingly, of the many people to whom I have turned for assistance, not one person has mentioned data protection. I know of no-one running a small business that has the slightest clue about the stuff I’ve spent almost a quarter of a century living and breathing. Apart from the merry band of data protection consultants, that is. No-one has mentioned to me, as they explained how they went about creating their company, selecting a logo, building a website, engaging a book keeper (or accountant), working out whether to register for VAT, or what standard contracts to use, anything about any data protection issues that needed to be addressed.
I found that quite remarkable, especially given the recent media coverage of organisations with poor data protection standards.
I think I know why. In my view, it’s down to two main reasons.
First, it’s because data protection is an arcane and inaccessible subject that is so hard for a business owner to focus on, given the pressing need to understand other, much more important, aspects of setting up a business, and it’s actually quite hard to find independent professionals who can be trusted to offer pragmatic, no-nonsense advice. I’m not attacking the data protection professionals who offer great advice to sophisticated, established, businesses. What I’m pointing out is a dearth of advisors who are known for providing practical advice to start-ups and the smaller enterprises. Yet, these small enterprises, especially if their business activity involves the internet, are capable of generating large amounts of personal information which, if handled incorrectly, could cause very considerable embarrassment if the information were to be inappropriately disclosed to third parties.
Second, it’s because data protection is regulated by a small body of dedicated professionals who would find it impossible to cope if they were approached for help by all of the small businesses that really need advice. When you compare the size of the ICO’s budget with that of, say the (failed) Financial Services Authority, you really wonder what bunch of politicians were naive enough to impose huge obligations on an organisation like the ICO that was then vested with so few resources. Or perhaps the politicians were trying to imply – “here’s a set of ideas for businesses that want to follow good data handling practices, but we don’t really care if businesses ignore them.”
The European Commission can propose what it wants, as that Regulation continues its European Parliamentary scrutiny. The reality, currently, is that whatever will be passed will most likely be ignored by a huge majority of small businesses who simply don’t have the will to understand what they will need to do to comply. These businesses will be assuming that the regulators will be so under resourced that the likelihood of an SME being held accountable for an unfortunate incident will be much less than the likelihood of their star employee winning the X Factor.
So, what’s the answer?
In part, I think it’s about making it easier for SMEs to get decent, pragmatic advice, at an early stage in their development. If they’re a small business, say, developing web apps, working in the Silicon Roundabout area of London, it ought to be possible to find a data protection consultant working nearby for a coffee and a (free) chat. I have a cunning plan to help fill what appears to be a gap in the market. All will be revealed on 1 June.
In part, I also think it’s about making it easier for SMEs to appreciate the consequences of getting it wrong. But this is not an area that I’m currently interested in playing, as I’m not a regulator.
Now, I’m off to the bank to complete the process to open a corporate bank account. Later today, I’ll be off to Shoreditch to work out just how much stubble I would need to grow if I wanted to blend in with the surrounding community.
To be revealed on 1 June!