Monday, 12 January 2015

Fat chance of new data rules any time soon

One of Britain’s brightest academics has recently blogged on the (slim) possibility that new data rules will be agreed this year. It’s a great read, as Kuan Hon’s infographics starkly set out the huge task that face those who are trying to craft a consensus of agreement about the new rules.

I would go further, and suggest that the little madam portrayed in today’s image has a better change of finishing her chocolate bar than most data protection professionals have of being able to influence whatever data rules may eventually be imposed on European citizens.

The DAPIX negotiators are (rightly) tired of hearing from us. They’ve a good idea of the practical difficulties that will face those who are keen on complying with the new rules – but should a new text be aspirational in nature, or merely be capable of being complied with? 

Too many member states still have fundamental reservations with significant parts of the text.

Of course it’s taking a long time to reach agreement on such a significant issue. Today, the EU is comprised of a twice as many of independent states that existed when the original Data Protection Directive was devised. Each Member State is keen to preserve its own cultural identity, and is wary of signing up to a legal framework which, at 82 pages long, is far too complicated for fair-minded folk to understand.

So what if there are huge financial penalties for the data giants that will fall foul of the rules? That’s just window dressing to give the impression that the proposed legal framework will have teeth.

What I suspect will happen when a revised text emerges is that many companies in the regulated industries (and by this I mean in companies in industries that have regulators other than the data protection regulator) will try to do what they can to comply.

But, and this is a big but, huge numbers of companies that aren’t used to operating within a regulatory environment will remain bewildered by the byzantine complexity of all this compliance stuff and will continue to “game” compliance. They’ll assess what resources the regulators have, and they’ll assume that said regulators will be so busy with the big guys that there will never be enough time for them to look closely at anyone else.

Even Blighty’s mighty herd of ICO auditors has limited resources. The ICO audits at least one organisation a week, and makes an advisory visit to perhaps 1 or 2 organisations each week. But there are more than 370,000 data controllers in the UK. So, organisations that don’t consider themselves to be in high-risk categories are highly unlikely to ever hear the ICO’s knock on their door. Which is probably fortunate for them, as I wonder how long it will take the majority to know about (or care much about) the changes that should to be made to their systems to comply with whatever new rules that may emerge.

The more complicated data protection compliance gets, the harder it is to remember how consumer interests are being better protected.

If anyone has time, it would be helpful if they could remind me just how individuals’ lives are likely to be improved by the new rules.
Call me a cynic but I’m not sure how, in concrete terms, individuals' lives actually will be improved.


Image credit: