Thursday 18 October 2012

Hooray – more data protection compliance diagrams

Those of us in the know appreciate that it is one thing to do it, and another thing to produce a diagram about doing it.

So today, I present to you, a data protection compliance diagram which has been kindly supplied by Alexander Alvaro, MEP, a Vice-President of the European Parliament. You’ve probably heard of him. He’s quite influential in German data protection circles.

Anyway, his latest wheeze, in his own words, is as follows: “I have developed the concept of “Lifecycle Data Protection Management (Lifecycle DPM)”, based on a simple stick and carrot principle: Invest from the outset in a sustainable data management framework, follow it up with a comprehensive compliance mechanism and you will be rewarded with an effective implementation and enforcement architecture.”

For those of us that like carrots and sticks, all we need (if we are allowed) is to use Google's mighty search machine to locate a document that goes under the snappy title of “Lifecycle data protection management – a contribution on how to adjust European data protection to the needs of the 21st Century.”

Are you still with me?

If you are, I’ll just make the point that his paper also suggests that data controllers present a privacy policy to customers in a common format – as it is apparently the case that some consumers choose on-line services on, among other things, the privacy policies that the various competing data controllers have.

You could have knocked me down with a feather when I read that bit. I must be missing out on something. My on-line choices are focussed on availability, price and delivery dates. I honestly can’t remember if anyone’s privacy policy has ever influenced my choice of whatever it was I was planning to buy. Then again, I have been in this game for a long time. Perhaps younger generations do read the stuff I so despair of.

Anyway, for those that are really keen to be on the ball, here is a set of the latest privacy icons that responsible data controllers could use when tempting potential customers with their irresistible wares.

The snag is, what happens when you are honest about your intentions, or capabilities, with regard to each of these icons? For a number of the (extremely honest and reputable) companies I have had the pleasure of getting to know, I really doubt if their privacy policies would have achieved more than 1 tick (or perhaps 2 ticks) in the relevant icon boxes. So, if every data controller (for perfectly legitimate reasons) is always going to feel forced to provide their potential customers with a sea of red crosses when they use these icons, I can’t really see the concept taking off too readily.

What do you mean a sea of red crosses?

Well, What happens when data collected and processed for a controller’s legitimate business needs just might need to be acquired by a law enforcement agency for law enforcement purposes? Or when personal data in paper files can’t be encrypted?

How many ticks does that leave you with, then?

Anyway, let’s look on the bright side. It is a nice try – and it makes a great slide for a data protection PowerPoint presentation.