Blogs

Earlier this week I wrote about how organisations should start gearing up for the challenges and opportunities of the forthcoming Data Protection Regulation by looking at how well they are complying with current principles, and in particular what they can learn from the mistakes of others as set out in the Annual Reports of the Data Protection Commissioner (if in Ireland) or the relevant Data Protection Authorities (e.g. the ICO in the UK).

This should be approached as a "quality systems" problem - with an emphasis on continuous improvement and making incremental changes over time rather than trying to push for a "big bang" fix. The latter approach won't work.

In parallel with that line of thinking, I've been in deep strategy mode in relation to Castlebridge Associates and how our approach to marketing and communicating might need to evolve to meet the challenges of today and the opportunities of tomorrow. This was in part trigged by my involvement in a number of audits, green field projects, and reviews of the Data Protection Regulation over the past few months. In particular questions that have arisen about the scope and extent of some of the provisions ofthe Regulation had me assessing emarketing in the context of SI336 (which enacts the ePrivacy Directive in Ireland).

Attached to this post is the Castlebridge Associates submission to the Dept of Justice review of the draft EU Data Protection Regulation. It's somewhat lengthy and goes into a number of issues which the company felt were important and required either a rethink or a clarification from the Commission, or presented an opportunity to do something radical to shake up Data Protection and encourage compliance.

In other areas of the submission we echo concerns raised by the Article 29 Working Group about "Delegated Acts" and other issues.

Among the ideas we put forward are

• A "penalty points" scheme for low-scale Data Protection breaches, something that I first blogged about as a thought doodle back in 2010 in another forum
• A need for indemnity for Data Protection Officers who do their job to the best standard,similar to the statutory exemption for FOI officers under FOI legislation
• A need to rethink the 250 employee threshold for Data Protection Officers and other provisions kicking in, instead suggesting the "Big Data" dimensions of Velocity, Variety, and Volume provide a better structure for risk assessment (a theme I picked up on in recent presentations to Cloud Arena and in DCU, and which I'll be talking about next week (9th May) with DataQualityPro).
• Highlighting that while there are penalties for organisations who don't resource their DPOs properly, there are no such penalties for Governments who fail to support their Data Protection Authorities.

We also included, as is almost the mantra at this stage, that for Data Protection to be taken seriously the DPC needs to be taken seriously by the Governement and resourced properly. While this might sound like a turkey voting for Christmas given what we do here, we're of the view that a properly resourced Regulatory authority is essential to avoid the problems which beset the financial sector due to 'light touch' regulation. If the DPC's staff are too busy to respond in a timely manner to requests for prior assessment of processing (as I've experienced with clients) then that can only be bad for developing innovative businesses in Ireland that can use data cleverly but compliantly.

Some of what we have suggested has also been featured in submissions from the Irish Direct Marketing Association (I co-ordinated putting that together) and the Irish Computer Society/Association of Data Protection Officers (I contributed to that one too), so perhaps these ideas will have enough critical mass to be considered at some level in the EU or national legislature.

We would welcome feedback on the Castlebridge submission in the comments here.

Castlebridge Associates recently conducted a meta analysis of Google search results to try and get a picture of how the market environment has changed in relation to Data Protection/Privacy issues over the past seven years. We examined the situation in Ireland, with external reference points chosen from the UK and elsewhere. We'll freely admit that this is not the most scientifically rigorous study of this topic. However, our methodology is relatively simple and straightforward and can be easily replicated.

Earlier this evening I had a long chat with my friend and fellow information nut Jim Harris about the trends and themes of Data Privacy, Data Governance, and Information Quality in 2011 and what they mean in 2012. 

My blunt take is that from 2012 onwards respect for Data Protection principles will increase, largely as a result of organisations having fallen foul of regulations in 2011 but also as a result of organisations not being in a position to waste money defending instances of breach either of security or fair obtaining or fair processing principles. The focus will move to designing privacy in not through regulatory efforts per se but through 'englightened self-interest'.

Over the course of the first quarter of 2012 this site will be getting a number of small make-overs to improve our own ability to meet or exceed the requirements of the Data Protection regulations within the technical limitations of the software tools we are using and the level of financial or other resource investment required.

1. We will remove the need for anonymous users to have cookies written to their computers. This has been done already in the most recent build of the site.
2. We will implement anonymisation of IP addresses which we process for a variety of technical and business process reasons. Again, this is underway with this build of the site.
3. We will implement a register of Cookies and a clear mechanism by which site visitors can notify us of cookies which have been written from our domain to their computer which are not on the register.

Earlier in the week I wrote about the role of Information Governance and Information Quality principles in ensuring that an organisation meets its Data Protection obligations around the management of suppressions so that customers are not contacted in a manner which is unwelcomed or inappropriate.

This Complicated Life

Back in the old days the management of customer marketing preferences was easy. You had either a postal address or a phone number. Direct marketing was largely (if not entirely) about selling to customers. So you'd send out catalogues or brochures about your product or service and hope for the phone to ring with an order.

But, as the pizza parlour example from earlier in the week demonstrates, we now live in a complicated world where individuals have a lot of personal identifying data associated with them. Also, Customer Relationship Management and the way in which organisations interact with their customers has changed very much to a relationship based approach that helps build intimacy and, effectively, raises the barrier to customer churn (because you are in their inbox every week with something new and interesting).

This can create complications, but also it can create opportunities for organisations who have thought about the meaning and purpose of their information, how they can use it to drive value, and have invested in modelling their systems and processes accordingly.