What does “good data protection” look like?
I’ve been asked that question several times over the past few weeks as I’ve carried out data protection health checks for a range of organisations.
It’s caused me to pause and reflect on what controls I’m really looking for in an organisation, and the extent to which these controls deal with real or potential threats that exist with regard to the organisation’s processing of personal data.
It’s also caused me to review a number of the audit methodologies that appear to be in use right now, and to refine my own approach, which appears to have been well received. My own approach now focuses much less on compliance with specific elements of data protection legislation, and much more on helping the client develop an oversight structure to give them the assurance they require when assessing how good they are at data protection.
It’s so nice to visit a client and barely mention the data protection principles. Instead, I’m following the ICO’s current thinking, which is to break data protection compliance down into a number of bite size chunks, and get the client to agree which “chunks” are most significant, as far as their organisation is concerned.
A close read of the audit reports currently published on the ICO’s website gives a good indication of what really really matters. So, organisations that have addressed these issues are going to be in a pretty good shape.
Write to me if you want more information about my methodology.
What has struck me, as I’ve carried out the latest series of health checks, is how insignificant the proposed (well, deceased) Data Protection Directive actually is. I use the term “insignificant” in the sense that I really can’t see how it might realistically improve data protection standards beyond what might reasonably be expected of anyone who was taking their current obligations seriously.
Putting this thought into a different set of words, current data protection compliance levels could so easily be improved if people just managed to understand and follow the existing rules. I have no confidence that the imposition of an even more complicated set of rules would motivate significant numbers of data controllers to “up their game”, as it were. If they lack the resources to deal with the basics, then all they are likely to do is to fall even further behind, in terms of legal” expectations, if the impossibly high standards commended by the European Parliament ever see the light of day .
Of course, the draft Regulation does have some uses. It gives some people the opportunity to enhance the importance of data protection (and in doing so enhance their own status), by becoming an international talking head on this stuff. It gives teams of professional advisers the opportunity to sell their services to the (relatively small band of) clients that can afford to pay for such data protection wisdom. Proposals for legislative change also create more noise and opportunity for policymakers to earnestly consider what new rules ought to be put in place. But so many of these proposed changes simply tinker at the edges, rather than seek to fundamentally review what controls are really important for this and the next generation.
The controls that are really important are those that reward good behaviours.
We data protection folk have a lesson to learn from our financial services chums. Try as I can, I find it really hard to identify a link between, say, the volume and intensity of regulation in the financial services sector, and an increase in consumer confidence and trust in the integrity of financial services institutions. To generalise (and most unfairly, perhaps) it seems to me that certain awful standards in the financial services industry exist independent of the rules. I am appalled at the rate of return my (meager) investments are realising, but there is very little I can do about it.
The more I think about it, that Emperor of a Draft Regulation never really had any clothes. And, it had no more realistic chance of changing many data controllers’ behaviours than has the ICO chorus of winning “Britain’s Got Talent”.
So what should be done today?
For a start, organisations should look at their current controls and ask themselves if they are happy with what they see.
And, if they don’t know what they really ought to be looking out for, then all they have to do is drop me a line and ask me to outline my own approach towards pragmatic compliance with the ICO’s expectations.