Monday, 31 December 2012

My data protection predictions for 2013

In homage to the eight Data Protection Principles, I humbly offer eight predictions for 2013. There’s good news for some, and less good news for others. Early in 2014, I hope to revisit this list to see how I’ve fared.

1. The data protection industry will continue to flourish
Data protection is increasingly considered as a profession, rather than a trade. But, the race to professionalise the industry is accompanied by a desire, certainly on the part of those in the ascendant, to over complicate concepts that ought to be readily understood by everyone. The race to develop elaborate data protection laws will increasingly be seen as a form of data protection exclusion, or apartheid. When only the brightest of the bunch can comprehend the relevant laws, data protection salaries will soar for those working in the few sectors that really can afford to care about privacy. Eventually the bubble will be pricked by the pragmatists, who will argue that standards need to be capable of being understood and implemented by people like Homer Simpson as well as Albert Einstein, if they are to be universally applied. But that bubble won’t be pricked in 2013.

2. Minor privacy breaches will become less newsworthy
The public will tire of reading about the same old issues. Just as celebrities are recycled, and reality TV shows generate transient micro celebrities, new stories will emerge to keep data protection in the public eye. Trivial data breaches will become less toxic to brands, as there will be so many more reports of more significant incidents. Commentators will increasingly challenge the regulator to do something about them, while simultaneously calling for further cuts in public expenditure to address Britain’s economic woes.

3. The “fundamental rights” brigade will clash with the “can’t pay, won’t pay” brigade
The financial impacts of the public policy aim to improve data protection norms will result in a public fight between (1) privacy campaigners, who just want higher standards regardless of the costs; (2) data controllers, who concede that data protection standards need improving, but not at the expense of reducing the focus on other, more pressing corporate requirements; and (3) regulators, who will do whatever is necessary to keep their own agenda in the public eye. Frankly, I wouldn’t bet on the changes of the fundamentalists winning this epic battle.

4. More research will be commissioned on the point of regulating privacy
If we know anything from existing research on privacy, it’s that different sections of the community in different countries consider different aspects of their lives to be “private and personal”. They do not care so much about other aspects of their lives.  This will further question the “one rule to rule them all” strategy, which is currently proposed to address EU data protection issues. There will be increasing acceptance that data protection is not a “fundamental right” but a social strategy – and one that will be hard to apply across a group of nation states whose societies and cultures are not aligned. Supporters of the subsidiarity principle will continue increasingly challenge the European Commission about its competence to regulate privacy.  

5. A fundamental review of the ICO’s Civil Monetary Penalty strategy will be announced
Everyone needs a regular review of their practices, to ensure that their strategies are working effectively. An independent analysis will be commissioned on the extent to which the ICO’s current strategy has led to behavioural change and improved data protection standards, especially among local authorities. Can it be right that so many self-reported breaches result in Civil Monetary Penalties? How does this incentivise self incrimination? Will the ICO’s health and safety team have to issue a warning the enforcement team that they could easily strain their back muscles by bending down to collect so much low hanging fruit? 

6. The Ministry of Justice will commission a very discrete search to identify a suitable replacement for Christopher Graham, Information Commissioner, after which a fair and open competition will be announced
Christopher Graham’s term of office expires in June 2014. The next incumbent will probably serve a fixed term of 7 years. It will be interesting to learn whether the new Commissioner is as keen on dealing with internal management issues, compared with policy issues. With an organisation the size of the ICO’s, it’s going to be pretty hard to find someone with an equal interest in both.  Especially if a significant part of their time will be devoted to restructuring the ICO should Parliament decide that the organisation needs to be even more selective to be effective.

7. The ICO’s Management Board will commission a very discrete search to identify a suitable replacement for David Smith, Deputy Information Commissioner, should he decide to retire
David is an extremely experienced and respected member of the data protection community, but even he might wish to retire in the next few years. Finding a replacement will not be easy. But it is critical – for if the new Commissioner is to be seen as the management strategist, then the policy heavy lifting will need to be led by an authoritative expert who can quickly earn respect from all sides of the community. Unlike the fixed term of the Commissioner, though, this very important (and unelected) post could be held by an incumbent for the rest of their working life.   Or, the next jobholder will need to be a management bruiser, capable of delivering organisational change while the Commissioner focuses on policy.

8. Someone with data protection experience will join the ICO
Why should this be such a farfetched prediction? Surely, it’s about time that, rather than merely incubating raw data protection talent that acquires experience and a formal ISEB qualification, before leaving to work elsewhere, someone who already knew quite a bit about the subject joined the regulator.

Image credit: