Saturday 31 December 2016

My (somewhat unreliable) data protection predictions for 2017

I’ve recently had a quiet year on the blogging front – my professional duties have prevented me from playing a more active role on the Internet during this year than I would have liked, but that is set to change in 2017. 

My professional work this year included acting as a specialist adviser to the Joint Parliamentary Committee on the Draft Investigatory Powers Act, one of the most significant pieces of legislation to be laid before Parliament for many years, to advising large (and some not so large) companies, particularly in the financial services sector, on the steps they should consider taking to show how they comply with their current and their future data protection obligations.

Next year? Who knows whom I’ll be advising!

But what can I (unreliably) predict for the forthcoming year?

  1. The incoming Deputy Information Commissioner (Policy), who starts work in Wilmslow on 30 January, will amaze the data protection community with his knowledge of data protection law and practice. He will be supported through the year by key ICO staff who have a very considerable amount of knowledge of data protection law and practice.
  2. An increasing number of organisations will realise that, unless they start soon, they won’t have the time (or access to much external professional support) to fully prepare for the coming into force of the GDPR in May 2018. There are, after all, only 513 days to go. The final text of the GDPR was published some 750 days before the implementation date. Many organisations have done virtually nothing during the first third of the preparation period.
  3. A couple of private sector firms will decide to pay an ICO Civil Monetary Penalty, rather than go into liquidation and, like a phoenix, arise from the ashes and continue trading under a different corporate name.
  4. Data protection professionals will continue to feast on nuggets of guidance from the Article 29 Working Group, despite some of the Working Party officials privately advising key opinion formers to ignore parts of what was “agreed”. The Working Group offers opinions. They're not definitive statements of the law that must be ruthlessly adhered to.
  5. European courts and European privacy regulators will continue to present challenges to European law enforcement authorities, making it even more cumbersome for stored communications data to be used to fight various types of crime. Even the ICO may be denied access to communications data to address the problems caused by spam, because sending unsolicited communications may not be a sufficiently serious “crime” to justify the use of stored communications data for such a purpose.
  6. The ICO’s new satellite office in Central London will prove so successful that an increasing number of staff will want to work from that office. It is, after all, quite a long way from Wilmslow.
  7. The Information Commissioner will continue to increase the profile of herself and her office, using a wide variety of channels to get the message across. Her highlight of the year will be an appearance on Desert Island Discs.
  8. Stratospheric salaries offered to experienced data protection practitioners in the (heavily regulated parts of the) private sector will continue to encourage ICO staff to seriously consider their commitment to working long-time for the regulator. 
  9. Public sector data controllers will, facing yet another series of efficiency savings, find it harder to evidence how they are meeting data protection requirements. Some “good” public authorities will become “grotty” at evidencing data protection.  More public authorities will ask the ICO not to publish the executive summaries of recent ICO audits. Unlike data protection professionals, local councilors are occasionally eligible for civil Honours, and they wouldn't want to jeopardise their chances of an Honour by being associated with a data protection snafu.
  10. The British Computer Society will demonstrate its commitment to data protection education by withdrawing the harder of its two professional data protection certifications, on the grounds that not enough candidates can be bothered to take such a rigorous exam to make it financially viable. 
Thats is it for this year’s predictions. My crystal ball clouds over when Brexit is mentioned.  No one has the faintest idea of what the data protection implications will really be. My heart tells me that the UK will experience a hard Brexit, and that however the GDPR is implemented by the UK, the EU will refuse to accept that ‘Blighty has data protection standards that are equivalent to those that prevail elsewhere in the EU. Despite this, I remain confident that the UK will end up with data protection standards that are both realistic and appropriate for people who live in the UK.

My glass is always half full. Its never half empty.

Happy New Year.