Your
Lordships
This
bill has been eagerly awaited by data protection professionals, whose careers
depend on its successful passage.
Please
don’t worry too much that the bill is so very hard to understand. It's the
Government’s way of ensuring that a select band of privacy professionals will
be offered very significant salaries to decipher its contents and recommend
ways of complying with the key provisions.
The
General Data Protection Regulation, which this Bill aims to compliment, but
dare not copy out, was also a wasted opportunity to develop laws that the majority
of those who were to be affected by them might understand.
Its
complexity will also fuel countless debates over the coming years in obscure
(data protection-related) internet chat rooms over precisely what the text
means, and whether data protection regulators (in the UK’s case, it’s the
Information Commissioner) have (a) agreed with their view and (b) bothered to
embark on any enforcement action against those that disagree with their view.
Many
organisations will not realise just how the legislation affects them, so they
will not take steps to develop or improve their data protection practices. To
be frank, most organisations I know will not be able to comply with all the
requirements even by the end of 2018, even if they’ve already commended their
compliance programme.
And, with regard to those that have not commenced their
preparations yet, even if their management were to take the decision today that
they should take steps to comply, there’s no way that they could meet the May
2018 deadline (the date when regulators are able to commence enforcement action
against offenders). This is because the vast majority of experienced data
protection professionals (those that have a reasonable understanding of the
requirements) are already fully engaged with other clients.
Regardless
of what amendments are accepted today, in a few months time the focus will move
from what the statute will say to how it will be enforced. The legislation in
itself is unlikely to influence to a significant extent how many data controllers
will change their current behaviours.
What
will really matter is what guidance will be issued by the ICO, and what
enforcement action will be taken against the miscreants.
Just
as the value of an investment can rise or fall, the fact that the ICO has been
seen by many data protection professionals as a pragmatic, open and engaged
regulator in the past does not guarantee that it will continue to adopt a
pragmatic and engaged stance in the future. The personality of the person
occupying the post of Information Commissioner will be key, as will the
resources that are available to the ICO to meet the demands that will be placed
on it.
Using
a phrase adopted by a previous Information Commissioner, the ICO has, in the
past, aimed to be selective to be effective. Whether, in times of extreme
public sector cuts, it can continue to recruit and retain the right calibre of
staff to enable it to continue to be as effective is an open question. In the
short term, I doubt it.
If
the new legislation is to have much credibility, it needs to be enforced. It is
my hope that the legislation will be enforced, because that will highlight the
fault lines that exist. It will expose the difficulty that so many
organisations will have in evidencing how they comply with all aspects of the
law. It will clarify the areas where compliance is unduly burdensome and, in
most respects, a practical impossibility.
Because
it is only when the faults in this bill are exposed that a coherent business
case will be developed to replace it with proposals that are far fitter for
purpose.
The
UK has passed data protection legislation in 1984, and 1998, and it will do so
again in 2018.
I
would not be surprised to see another Data Protection Bill before Parliament by
2024.
….
Posts
