Did you want to re-phrase that?


Firstly, I saw this picture online the other day and I liked it. I think it accurately condenses down some of the nonsense that is flying around at the moment on privacy, data protection or even press standards. If I say one thing, I can distract you from the other thing that is actually much bigger and in some parts, more of a revelation.

Being the keen young data protection professional that I am, when I heard that there was going to be a revised Data Protection Regulation throughout Europe my first reaction was “oooh pay rise!”… and then a chilling realisation set in that a major change to DP would spark a massive argument and reveal the extent that privacy is invaded. It would appear that I was right on one front (if I don’t say so myself) and mysteriously not quite right on the other… or am I?

An interesting theme that came out of an event today run by the UK government was that for all the businesses that were there they bark was deliberately loud. “This will harm business”, “stunt innovation”, “cripple the economy” and even “kill the ability to track marketing campaigns” (quite where that one came from I’m not sure of). These are just some of the quotes given from different sectors among many more. But, what remained clear and consist through all of them was an undertone of either a lack of current legislation or a lack of compliance with current legislation.

Case and point; there was a point raised about the need for small businesses to comply with PCI DSS however in the same breath stating that complying with DP was killing their businesses. Well surely by following PCI DSS you’re already 3 steps closer to DPA compliance? Surely they go hand in hand for a SME? Apprently not.

Another example was the subject of SARs and that under the regulation it would be a massive burden on business to provide information on request in such detail. I believe that the current DPA gives data subjects the right to ask for all data that can identify them? Apparently the regulation would mean that they have to search all their databases and provide the information back to the requester… you don’t already? Is that an accidental admission of non compliance with SAR? Who knows, but through all the objections (some of which are perfectly valid) some organisations are showing their hand and revealing indirectly that they already have compliance issues. But coming back to the title, let us not blame the new regulation for your non-compliance issues. You don’t comply at the moment because historically DPA compliance has always been marginalised, the regulation (in whatever format) just makes you answer that question you’d rather not discuss.

The other point that comes up again and again is from the marketing organisations. If you take away our implied consent we won’t be able to market to customers, we won’t be able to create unique profiles, we won’t be able to track marketing campaigns (to quote but a few). Ladies and gentlemen this is also not the real issue. The issue isn’t the fact that “targeted marketing” is given to consumers is the ridiculous amount of data sharing that goes on by marketing organisations, its the distinct lack of security around that data and the excessive collection of that data. And what may I ask is wrong with a data subject knowing what marketing profile you have on them? But those points seem to be overlooked and instead we cry fowl – that way we are crying fowl about future issues and distracting from current issues and lack of compliance.

Now, I have my issues with the proposal and I do believe that it isn’t an “all singing, all dancing” regulation and the world is in for some interesting times ahead. But I just wish that in these discussions “smoke and mirror” politics wouldn’t come into play and instead we actually discussed the issues that plague us today. What are the pitfalls we face today and will they be any worse under the new regulation? No? Oh well, next issue. Yes? So why is that? Is it because of a conscriptive law or is it because of culture or resources?

I heard a story today regarding law writing that goes like this. In Africa, 3 tribes lived along the banks of a clear water river and used the river for their water supply. As things modernised and progressed the river. and their drinking water, was becoming polluted because people were dumping rubbish in the river. The 3 tribe leaders met and created some rules about what not to put into the river. But with all rules people just put things in the river that were not on the list and the problem continued. The 3 tribes leaders met again and suggested getting a police force to police the river and catch people that were polluting. One of the tribe leaders said no, and instead that in his village he has ruled that all villagers must get their drinking water downstream from the village. Therefore anything that was dumped in the river by the villagers would end up back in their own drinking and bath water. All 3 tribe leaders agreed to this and that what they did – funnily enough pollution in the river stopped.

The moral of that story boys and girls, is a subject for another time…


Privacy: have you seen it around these parts?

Privacy is the big buzz word of late. Europe, the UK, the US – they all have it in their agendas and they all are looking in one form or another to enhance their legislation on the concept of privacy. But behind all that, what is privacy? Is privacy just a legal framework to follow and audit ourselves against or is it something much more than that?

Before I entered the world of “information rights’ if you had asked me what privacy was I would have said it was my right to keep things from my parents. I don’t want them knowing what’s in my bedside drawer! The concept of government access or inappropriate sharing would never cross my mind. And to your average Joe today of you were to stop them in the street the answer you would get an answer something along the lines of “it’s my right to do as I please without anyone knowing”. (Or a lot of blank faces – but I like to be optimistic). With that in mind, when your applying the subtleties of the DPA where does the fairness of processing data in India come in against that background?

I was overjoyed when I saw a legal case a month or so ago where it was decided that there was a breach of DPA because someone had breached the HRA. Processing of information that really does breach your right to privacy now is unlawful under the DPA. Surely this was obvious before now? No, apparently not. Historically providing you can meet one of the DPA conditions then you could process personal data, even if the processing seemed somewhat at odds with the concept of “no one knowing what I do”.

There are those that argue that the DPA is not your right to privacy, and they are right; it is not. However what is the DPA designed to do if not safeguard something? Your privacy maybe? In the Oxford English Dictionary the definition of “safeguard” is to protect and ensure the safety of. Therefore surely any legal framework must at its very core be based on and seek to protect the very principle it seeks to ‘safeguard’?

I have only been in the world of privacy and information rights for the past 4 years and in that time I have worked with a wide range of privacy related issues. Privacy and its implications is everywhere; from the very top of government to the teacher and student at school. If privacy is to survive long term we need to rethink how we approach privacy and ask ourselves what is privacy? Has that idea of privacy changed since World War 2?

As usual these are just my thoughts designed to spark discussion. Thoughts and views welcome, especially as I am a newbie to blogs. 🙂