One
of Britain’s brightest academics has recently blogged on the (slim) possibility
that new data rules will be agreed this year. It’s a great read, as Kuan Hon’s infographics starkly set out the huge task that face those who are trying to
craft a consensus of agreement about the new rules.
I
would go further, and suggest that the little madam portrayed in today’s image
has a better change of finishing her chocolate bar than most data protection
professionals have of being able to influence whatever data rules may
eventually be imposed on European citizens.
The
DAPIX negotiators are (rightly) tired of hearing from us. They’ve a good idea
of the practical difficulties that will face those who are keen on complying with
the new rules – but should a new text be aspirational in nature, or merely be
capable of being complied with?
Too
many member states still have fundamental reservations with significant parts
of the text.
Of
course it’s taking a long time to reach agreement on such a significant issue.
Today, the EU is comprised of a twice as many of independent states that
existed when the original Data Protection Directive was devised. Each Member
State is keen to preserve its own cultural identity, and is wary of signing up
to a legal framework which, at 82 pages long, is far too complicated for
fair-minded folk to understand.
So
what if there are huge financial penalties for the data giants that will fall
foul of the rules? That’s just window dressing to give the impression that the proposed
legal framework will have teeth.
What
I suspect will happen when a revised text emerges is that many companies in the
regulated industries (and by this I mean in companies in industries that have
regulators other than the data protection regulator) will try to do what they
can to comply.
But,
and this is a big but, huge numbers of companies that aren’t used to operating
within a regulatory environment will remain bewildered by the byzantine
complexity of all this compliance stuff and will continue to “game” compliance.
They’ll assess what resources the regulators have, and they’ll assume that said
regulators will be so busy with the big guys that there will never be enough
time for them to look closely at anyone else.
Even
Blighty’s mighty herd of ICO auditors has limited resources. The ICO audits at
least one organisation a week, and makes an advisory visit to perhaps 1 or 2 organisations
each week. But there are more than 370,000 data controllers in the UK. So,
organisations that don’t consider themselves to be in high-risk categories are highly
unlikely to ever hear the ICO’s knock on their door. Which is probably fortunate
for them, as I wonder how long it will take the majority to know about (or care
much about) the changes that should to be made to their systems to comply with
whatever new rules that may emerge.
The
more complicated data protection compliance gets, the harder it is to remember
how consumer interests are being better protected.
If
anyone has time, it would be helpful if they could remind me just how
individuals’ lives are likely to be improved by the new rules.
Call
me a cynic but I’m not sure how, in concrete terms, individuals' lives actually will be
improved.
Sources:
http://blog.kuan0.com/2015/01/data-protection-directive-vs-draft-data.html
https://ico.org.uk/action-weve-taken/audits-advisory-visits-and-outcome-reports/
Image
credit:
http://www.commonsenseevaluation.com/tag/giant/#sthash.q5Ysbhnl.dpbs
.
http://www.commonsenseevaluation.com/tag/giant/#sthash.q5Ysbhnl.dpbs
.