In homage to the eight Data Protection Principles, I humbly
offer eight predictions for 2013. There’s good news for some, and less good
news for others. Early in 2014, I hope to revisit this list to see how I’ve fared.
1. The data protection industry will continue to flourish
Data protection is increasingly considered as a profession,
rather than a trade. But, the race to professionalise the industry is
accompanied by a desire, certainly on the part of those in the ascendant, to
over complicate concepts that ought to be readily understood by everyone. The
race to develop elaborate data protection laws will increasingly be seen as a
form of data protection exclusion, or apartheid. When only the brightest of the
bunch can comprehend the relevant laws, data protection salaries will soar for
those working in the few sectors that really can afford to care about privacy.
Eventually the bubble will be pricked by the pragmatists, who will argue that
standards need to be capable of being understood and implemented by people like Homer Simpson
as well as Albert Einstein, if they are to be universally applied. But that
bubble won’t be pricked in 2013.
2. Minor privacy breaches will become less newsworthy
The public will tire of reading about the same old issues. Just
as celebrities are recycled, and reality TV shows generate transient micro
celebrities, new stories will emerge to keep data protection in the public eye.
Trivial data breaches will become less toxic to brands, as there will be so
many more reports of more significant incidents. Commentators will increasingly
challenge the regulator to do something about them, while simultaneously
calling for further cuts in public expenditure to address Britain’s economic
woes.
3. The “fundamental rights” brigade will clash with the
“can’t pay, won’t pay” brigade
The financial impacts of the public policy aim to improve
data protection norms will result in a public fight between (1) privacy
campaigners, who just want higher standards regardless of the costs; (2) data
controllers, who concede that data protection standards need improving, but not
at the expense of reducing the focus on other, more pressing corporate
requirements; and (3) regulators, who will do whatever is necessary to keep
their own agenda in the public eye. Frankly, I wouldn’t bet on the changes of
the fundamentalists winning this epic battle.
4. More research will be commissioned on the point of
regulating privacy
If we know anything from existing research on privacy, it’s
that different sections of the community in different countries consider
different aspects of their lives to be “private and personal”. They do not care
so much about other aspects of their lives.
This will further question the “one rule to rule them all” strategy,
which is currently proposed to address EU data protection issues. There will be
increasing acceptance that data protection is not a “fundamental right” but a
social strategy – and one that will be hard to apply across a group of nation
states whose societies and cultures are not aligned. Supporters of the
subsidiarity principle will continue increasingly challenge the European
Commission about its competence to regulate privacy.
5. A fundamental review of the ICO’s Civil Monetary Penalty
strategy will be announced
Everyone needs a regular review of their practices, to
ensure that their strategies are working effectively. An independent analysis will be
commissioned on the extent to which the ICO’s current strategy has led to
behavioural change and improved data protection standards, especially among local authorities. Can it be right that so many self-reported breaches result
in Civil Monetary Penalties? How does this incentivise self incrimination? Will
the ICO’s health and safety team have to issue a warning the enforcement team
that they could easily strain their back muscles by bending down to collect so
much low hanging fruit?
6. The Ministry of Justice will commission a very discrete
search to identify a suitable replacement for Christopher Graham, Information
Commissioner, after which a fair and open competition will be announced
Christopher Graham’s term of office expires in June 2014. The
next incumbent will probably serve a fixed term of 7 years. It will be
interesting to learn whether the new Commissioner is as keen on dealing with internal
management issues, compared with policy issues. With an organisation the size
of the ICO’s, it’s going to be pretty hard to find someone with an equal
interest in both. Especially if a
significant part of their time will be devoted to restructuring the ICO should
Parliament decide that the organisation needs to be even more selective to be
effective.
7. The ICO’s Management Board will commission a very discrete
search to identify a suitable replacement for David Smith, Deputy Information Commissioner,
should he decide to retire
David is an extremely experienced and respected member of
the data protection community, but even he might wish to retire in the next few
years. Finding a replacement will not be easy. But it is critical – for if the
new Commissioner is to be seen as the management strategist, then the policy
heavy lifting will need to be led by an authoritative expert who can quickly
earn respect from all sides of the community. Unlike the fixed term of the
Commissioner, though, this very important (and unelected) post could be held by
an incumbent for the rest of their working life. Or, the next jobholder will need to be a
management bruiser, capable of delivering organisational change while the
Commissioner focuses on policy.
8. Someone with data protection experience will join the ICO
Why should this be such a farfetched prediction? Surely,
it’s about time that, rather than merely incubating raw data protection talent
that acquires experience and a formal ISEB qualification, before leaving to
work elsewhere, someone who already knew quite a bit about the subject joined
the regulator.
Image credit:
http://noelanirodriguez.com/wp-content/uploads/2012/04/Crystal_Ball___Stock_by_Sassy_Stock.jpg
.
Posts
