Privacy Must Be A Core Business Competence

The European Commission's proposed General Data Protection Regulation is just that: general regulation. No longer can businesses afford to treat data protection compliance as a 'bolt-on' to their marketing department, or even the compliance department. CEO's need to understand how the demands of personal data privacy are going to re-shape their business.

Just ask yourself whether you think the following rights go to the heart of any business that deals with individuals: the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing. Not to mention requirements for enhanced internal controls, numerous enforcement and compliance burdens, and the obligation to appoint a data protection officer.

The trouble is, none of these concepts is straightforward, nor are the rules easily digested.

But digest them you must. Even if they don't make it onto the statute books, the genie is out of the bottle. Many of these 'rights' reflect the current concerns of at least some consumers (albeit most of them probably also happen to work for the European Commission and various consumer groups). Existing services will be judged against them as 'best practice'. Some businesses and new entrants without legacy systems will factor them into new services. And if they do make it onto the UK's statute books, you can bet they'll be gold-plated.

The Society for Computers and Law has done a great job of stimulating debate on the EC's proposals, and helping identify the implications for businesses generally. But there's a long way to go before the practical implications for businesses and business models are understood and fed back to the authorities in time for a new directive to be finalised in 2014. In fact, bitter experience suggests this won't happen at all.


At a recent seminar, Mark Watts, Chair of SCL's Privacy and Data Protection Group, polled about 100 delegates on the questions asked in the 4 week Ministry of Justice consultation on the EC's plans. The results can be downloaded via the Society for Computers and Law web site. One response made a telling point:

'Writing wide-ranging, broadly applicable laws that affect almost everything a business does but which can only be interpreted and implemented with the assistance of specialist data protection lawyers is surely not the best way to go. Laws that potentially affect so much of what ordinary business does on a day to day basis should be capable of being understood by "ordinary businessmen". The Regulation is a long way from this and will keep data protection lawyers in business for years.'

Further, As Dr Kieron O'Hara explains in relation to the technological challenges presented by the 'right to be forgotten' in his excellent article in this month's Computers & Law magazine, the EC's ambitious plan for personal privacy requires "a socio-legal construct, not a technical fix." 

Week One: Build A Decent Framework

The first week in any new in-house role or project has many defining moments. Are you friendly and approachable, or nervous and shy? Do you listen respectfully before suggesting improvements, or arrogantly impose your own experience and expertise from the outset? Do you have a plan for how you'll approach your new role, or will you simply react to demands on your time?

One advantage to having worked in nearly a dozen businesses over the past twenty years or so is having the opportunity to experience many 'fresh starts'. Here are three steps I've learned to take each time:

1. Research the business and its products: You should've done this at interview stage (along with understanding the overall market context), but you probably didn't get the whole picture from company filings, web sites and other publicly available material. Depending on seniority, you may not get much more. Play the 'newbie' card while you can. Try to meet the lead business people and ask plenty of questions about their successes and key challenges. Ask each product manager to explain how his or her product works. Make a note of anything that surprises you - good or bad. Understand the business problem-solving methodology (if any), project planning framework (if any) and the end-to-end business processes that comprise or support the products - how customers are signed up, complaints are handled, how distribution works, the supply chains, how contractual rights are enforced. Due diligence reports, regulatory filings, major contracts, sales presentations and process maps all make great source material.

2. Figure out the top ten challenges for the business: This can be a hair-raising experience, especially in a young business or one that's poorly run. Try to be discreet, patient and under-react until you've figured out the list and considered how to align yourself with each challenge. A well-managed business will identify and prioritise its most significant challenges annually. In that case, figuring these out will involve a fairly easy discussion with the boss about the business planning cycle, the current plan and where you fit in. In other cases, there may be no clarity at all, and no process for achieving it - great opportunities for anyone with an analytical mind and a positive attitude. Clearly the annual revenue target, major product launches, acquisitions and any substantial new regulation will be likely to feature in the top ten. Addressing the organisation's substantial strengths, weaknesses, opportunities and threats should round out the list.

3. Figure out the top ten legal challenges: What the lawyers need to do should have become pretty clear by now. Of course you have to factor in your own major initiatives, like getting a handle on significant contracts, contested litigation, training and competence, ensuring appropriate records retention and so on. But some of that will be business as usual. The major challenges should involve cross-functional co-operation - including public affairs and PR.

I'm interested in your thoughts.


Image from De Madera Constructions.