Yesterday’s
meeting of the Data Protection Forum offered some extremely valuable insights
for those of us who still have energy to care about the forthcoming Data
Protection Regulation. Before – and after an really good – festive lunch, a few
of the finest minds in the business offered their considered opinions.
What is becoming
clearer is the political will to deliver something by the end of 2015. An
exhausting deliberative process must soon to be seen to come to and end –
exclaim many of the negotiators that have worn themselves out by attending
interminable meetings where the data protection horse trading is carried out.
We are fast
approaching the gaming stage of the process – where various blocs within the
negotiating groups fathom out who has a blocking minority against what, and
what regulatory requirement can be grudgingly accepted, so long as another one
that someone else wanted is dropped.
Like sausages, you
really don’t want to know too much about how legislation as complex as this is
actually made.
To get past the
finishing line, the smartest minds are accepting that:
1. The legislative proposal is going to require the countries currently claiming to have the highest data protection standards to compromise a bit, and accept that the price to pay for common standards will be for standards in some areas to be lowered recalibrated.
2. The legal instrument might well be called a Regulation, and be directly applicable across the Union, but some Member States may well augment those standards with local rules.
3. To meet the deadline (which is more set for PR purposes rather than to ensure that all the requirements are achievable and fit for purpose) the standards in the legislative proposal will need to be viewed as legislative aspirations, rather than what is actually workable.
So, what should a
concerned data controller do?
To keep ones
powder dry, and to focus scarce resources on the people who will matter in
2015, my suggestions are:
1.
Stop
bombarding the DAPIX negotiating teams with ever more sets of representations.
They (basically) know what the score is, and where the fundamental problems
lie.
2.
Don’t
bother too much with the MEPs, either. Few know enough about the detail of the
Regulation to make an impact, and even fewer can be bothered to delve into the
details of a decision that will profoundly affect the next generation of
European citizens. The final result in the European Parliament will depend on
the block votes of the main political groupings. These groups are so huge they
are basically unmanageable in terms of lobbying, anyway.
3.
Focus
on the Data Protection Regulators. The sooner organisations point them to the
practical compliance problems, the easier it will be to claim (in defence) “but
I told you so” when said organisations run into problems as they fail match
the aspirations of the Regulation once it's on the statute book.
4.
Take a
deep breath and relax. It’s not all doom and glom. There could well be so many
organisations that fail to meet the new standards that regulators will be
overwhelmed by the magnitude of the compliance work they will face. Yes, if you
are an organisation that has been singled-out, and made an example of, then life in the
Boardroom will be very uncomfortable for a few months. But the pain will pass.
5.
So
many Euro insiders have repeated the mantra to me that if you can meet the
current rules, then the new ones won’t really affect you. So, the message I
take from this is to focus on the data protection basics. Sort out the issues
that the ICO would raise should it choose to carry out a health check within
your own organisation today. And leave the really complicated compliance stuff to the likes of Amazon, Google, Facebook and Yahoo!
- whose world-class compliance teams
will always be engaging with the regulators.
Organisations that
fall foul of the new regulations do have a new set of friendly shoulders to fall
back on. Last night’s all-star UK launch of PWC’s new data protection, privacy,
confidential and security service was a great success. It’s really going to
shake up the market. More about that will appear in another blog.
Some of the data
protection professionals who were not fortunate enough to solicit an invitation
to the PWC launch consoled themselves after the Data Protection Forum’s festive
lunch with a trip to the Tower of London and a quick squint at the Crown
Jewels, courtesy of their chums at Linklaters.
Today's image, taken at the PWC launch, looks over the River Thames to the Tower of London, where the alternative gathering was taking place.
But after the
DPF's festive lunch, PWC really was the place to be, yesterday.
.
Posts
