One of the key questions from audiences was “What do we need to do now to avoid penalities in the future?” Unfortunatley it wasn’t actually asked in that way so I’m having to exercise some license here when answering the question. the glib answer is that you start avoiding penalties in the future by avoiding them in the present. The less glib answer requires you to start from two specific points, one temporal and one strategic. I’ll explain briefly what I mean.
- Start now. The changes proposed represent some key shifts in governance and responsibility. Organisations need to be educated now about the landscape and the potential areas of pain in the future when the organisation needs to change how it manages information (and it will). Experience in other areas of Governance which moved the burden of control to an evidence-based internal control model (Sarbanes-Oxley, Telcomms regulation, Basel II etc.) is that this change takes time. How much time? Well, about as long as there is between now and the Regulation being signed off and coming into law. What a co-incidence.
- Start with today’s rules and pain points. It is more important now than ever to start learning from the mistakes of others. Making use of resources such as theData Protection Commissioner’s Annual Report or the case notes published by the ICO in the UK. Developing an understanding the root causes of issues (ideally using proper Root Cause Analysis techniques like Fishbone diagrams etc) that are reported there and how they apply in your organisation is important. It is very important. Because if you come on the radar of the Data Protection Commissioner or the ICO in the near future, you will have exhausted your first-strike excuse by the time the significant penalties come into effect. You will have no excuses to offer in mitigation. It will be entirely possible over the coming months that organisations will avoid the financial penalties under current legislation only to wind up in the firing line of a €2million tariff on your second offence. Learn now. Learn fast. Learn from others.
That last point is simple but significant in my view. The future is not yet 100% defined. The Regulation will, inevitably, be fudged and watered down in some areas. However, the core principles of the Regulation are the same as the core principles of Directive 95/46/EC. They have just been built upon and updated to reflect the reality and challenges of the Information Age we now live and work in. A mistake under today’s rules will be an offence under the Regulation. The penalties in the future will be higher. Therefore, organisations should heed the words of Stephen Covey and start to be proactive about Data Protection Compliance by focussing on the things they can control today.
And that is your capability to comply with the current rules, and the decisions your organisation is taking today around governance, training, and investment for better management of information as a strategic and valuable business resource.