Firstly, I saw this picture online the other day and I liked it. I think it accurately condenses down some of the nonsense that is flying around at the moment on privacy, data protection or even press standards. If I say one thing, I can distract you from the other thing that is actually much bigger and in some parts, more of a revelation.
Being the keen young data protection professional that I am, when I heard that there was going to be a revised Data Protection Regulation throughout Europe my first reaction was “oooh pay rise!”… and then a chilling realisation set in that a major change to DP would spark a massive argument and reveal the extent that privacy is invaded. It would appear that I was right on one front (if I don’t say so myself) and mysteriously not quite right on the other… or am I?
An interesting theme that came out of an event today run by the UK government was that for all the businesses that were there they bark was deliberately loud. “This will harm business”, “stunt innovation”, “cripple the economy” and even “kill the ability to track marketing campaigns” (quite where that one came from I’m not sure of). These are just some of the quotes given from different sectors among many more. But, what remained clear and consist through all of them was an undertone of either a lack of current legislation or a lack of compliance with current legislation.
Case and point; there was a point raised about the need for small businesses to comply with PCI DSS however in the same breath stating that complying with DP was killing their businesses. Well surely by following PCI DSS you’re already 3 steps closer to DPA compliance? Surely they go hand in hand for a SME? Apprently not.
Another example was the subject of SARs and that under the regulation it would be a massive burden on business to provide information on request in such detail. I believe that the current DPA gives data subjects the right to ask for all data that can identify them? Apparently the regulation would mean that they have to search all their databases and provide the information back to the requester… you don’t already? Is that an accidental admission of non compliance with SAR? Who knows, but through all the objections (some of which are perfectly valid) some organisations are showing their hand and revealing indirectly that they already have compliance issues. But coming back to the title, let us not blame the new regulation for your non-compliance issues. You don’t comply at the moment because historically DPA compliance has always been marginalised, the regulation (in whatever format) just makes you answer that question you’d rather not discuss.
The other point that comes up again and again is from the marketing organisations. If you take away our implied consent we won’t be able to market to customers, we won’t be able to create unique profiles, we won’t be able to track marketing campaigns (to quote but a few). Ladies and gentlemen this is also not the real issue. The issue isn’t the fact that “targeted marketing” is given to consumers is the ridiculous amount of data sharing that goes on by marketing organisations, its the distinct lack of security around that data and the excessive collection of that data. And what may I ask is wrong with a data subject knowing what marketing profile you have on them? But those points seem to be overlooked and instead we cry fowl – that way we are crying fowl about future issues and distracting from current issues and lack of compliance.
Now, I have my issues with the proposal and I do believe that it isn’t an “all singing, all dancing” regulation and the world is in for some interesting times ahead. But I just wish that in these discussions “smoke and mirror” politics wouldn’t come into play and instead we actually discussed the issues that plague us today. What are the pitfalls we face today and will they be any worse under the new regulation? No? Oh well, next issue. Yes? So why is that? Is it because of a conscriptive law or is it because of culture or resources?
I heard a story today regarding law writing that goes like this. In Africa, 3 tribes lived along the banks of a clear water river and used the river for their water supply. As things modernised and progressed the river. and their drinking water, was becoming polluted because people were dumping rubbish in the river. The 3 tribe leaders met and created some rules about what not to put into the river. But with all rules people just put things in the river that were not on the list and the problem continued. The 3 tribes leaders met again and suggested getting a police force to police the river and catch people that were polluting. One of the tribe leaders said no, and instead that in his village he has ruled that all villagers must get their drinking water downstream from the village. Therefore anything that was dumped in the river by the villagers would end up back in their own drinking and bath water. All 3 tribe leaders agreed to this and that what they did – funnily enough pollution in the river stopped.
The moral of that story boys and girls, is a subject for another time…