Wednesday 3 December 2014

Who needs to be influenced as the Regulation rolls on (and on)?

Yesterday’s meeting of the Data Protection Forum offered some extremely valuable insights for those of us who still have energy to care about the forthcoming Data Protection Regulation. Before – and after an really good – festive lunch, a few of the finest minds in the business offered their considered opinions.

What is becoming clearer is the political will to deliver something by the end of 2015. An exhausting deliberative process must soon to be seen to come to and end – exclaim many of the negotiators that have worn themselves out by attending interminable meetings where the data protection horse trading is carried out.

We are fast approaching the gaming stage of the process – where various blocs within the negotiating groups fathom out who has a blocking minority against what, and what regulatory requirement can be grudgingly accepted, so long as another one that someone else wanted is dropped.

Like sausages, you really don’t want to know too much about how legislation as complex as this is actually made.

To get past the finishing line, the smartest minds are accepting that:

1.    The legislative proposal is going to require the countries currently claiming to have the highest data protection standards to compromise a bit, and accept that the price to pay for common standards will be for standards in some areas to be lowered recalibrated
2.    The legal instrument might well be called a Regulation, and be directly applicable across the Union, but some Member States may well augment those standards with local rules.
3.    To meet the deadline (which is more set for PR purposes rather than to ensure that all the requirements are achievable and fit for purpose) the standards in the legislative proposal will need to be viewed as legislative aspirations, rather than what is actually workable.  

So, what should a concerned data controller do?

To keep ones powder dry, and to focus scarce resources on the people who will matter in 2015, my suggestions are:

1.    Stop bombarding the DAPIX negotiating teams with ever more sets of representations. They (basically) know what the score is, and where the fundamental problems lie.
2.    Don’t bother too much with the MEPs, either. Few know enough about the detail of the Regulation to make an impact, and even fewer can be bothered to delve into the details of a decision that will profoundly affect the next generation of European citizens. The final result in the European Parliament will depend on the block votes of the main political groupings. These groups are so huge they are basically unmanageable in terms of lobbying, anyway.
3.    Focus on the Data Protection Regulators. The sooner organisations point them to the practical compliance problems, the easier it will be to claim (in defence) “but I told you so” when said organisations run into problems as they fail match the aspirations of the Regulation once it's on the statute book.
4.    Take a deep breath and relax. It’s not all doom and glom. There could well be so many organisations that fail to meet the new standards that regulators will be overwhelmed by the magnitude of the compliance work they will face. Yes, if you are an organisation that has been singled-out, and  made an example of, then life in the Boardroom will be very uncomfortable for a few months. But the pain will pass. 
5.    So many Euro insiders have repeated the mantra to me that if you can meet the current rules, then the new ones won’t really affect you. So, the message I take from this is to focus on the data protection basics. Sort out the issues that the ICO would raise should it choose to carry out a health check within your own organisation today.  And leave the really complicated compliance stuff to the likes of Amazon, Google, Facebook and Yahoo! -  whose world-class compliance teams will always be engaging with the regulators.

Organisations that fall foul of the new regulations do have a new set of friendly shoulders to fall back on. Last night’s all-star UK launch of PWC’s new data protection, privacy, confidential and security service was a great success. It’s really going to shake up the market. More about that will appear in another blog.

Some of the data protection professionals who were not fortunate enough to solicit an invitation to the PWC launch consoled themselves after the Data Protection Forum’s festive lunch with a trip to the Tower of London and a quick squint at the Crown Jewels, courtesy of their chums at Linklaters.

Today's image, taken at the PWC launch, looks over the River Thames to the Tower of London, where the alternative gathering was taking place.

But after the DPF's festive lunch, PWC really was the place to be, yesterday.