I teach Data Protection Practice in the Law Society of Ireland. I’m honoured to be among some phenomenal lecturers on that course, and I was equally honoured to be contribute to the design of it. One of the perspectives I try to impart to students on that course is that Data Protection is not just about legislation but is instead about the quality of outcomes delivered to and experienced by data subjects. When we reframe the Data Protection discussion away from bare-bones compliance towards the “value proposition” and the quality system that needs to be in place to deliver on the Information and Process Outcome expectations of internal and external customers, we can begin to change thinking and behaviour in organisations.
The law is a minimum standard, a formalised set of principles, and an enforcement framework. We have these in other domains of business as well, like catering and food production. But the distinguishing factor between eateries is rarely “20 days since last case of food poisoning“, rather it is the dining experience and culinary outcomes that diners experience that distinguishes a good quality French Bistro from McDonalds. The regulatory framework for food safety within which they operate is the same however. And there are times when a reasonably priced, well cooked, franco-phonic meal isn’t what is needed to address one’s dining outcomes, but equally there are consumers who simply will not cross the threshold of a McEatery almost as an article of religious faith.
The slow evolution of the General Data Protection Regulation, its promised focus on a ‘risk based’ approach to Data Protection, and the rapid growth of privacy laws world wide in the past half-decade, means that it serves organisations well to adopt a “Quality Systems” approach to developing their Data Protection frameworks. Indeed, such an approach is explicitly called for in BS10012:2009. This requires organisations to place the needs and expectations of the Data Subject at the centre of the equation and to work back from there in their planning or assessment of their processing of personal data, and the associated Information Governance and controls.
I’ve been rattling on about this for about a decade now, and it was great to see Gartner, and others, echoing many of my thoughts in some of their recent research reports, article series, and presentations. For example, Gartner tell us that:
“An angry public does not care whether or not an organization is compliant with the law if, through its action or inaction, sensitive information about them falls into the wrong hands or is used in undesirable ways. Successful businesses will be keenly aware of the moral climate they operate in, and will operate well within acceptable thresholds.”
“No stercore, Sherlock”, as my legal systems tutor in UCD Law Faculty might have said.
Philosophies such as Privacy by Design and approaches such as Privacy Engineering essentially serve to transpose proven quality principles and practices into the Data Protection and Data Privacy space. While the core legal rules and legislative provisions need to be understood, often on a jurisdiction by jurisdiction basis, adopting a quality systems approach to implementing Data Privacy/Data Protection processes in practice means that organisations have to focus on the principles that the legislation is setting out, and the expectations that consumers have of those principles in practice. This ties in then with the idea of “risk appetite” in a Risk based approach, and the need to ensure an appropriate balancing of legitimate interests between the Data Subject and the Data Controller.
From a quality systems perspective organisations need to ask:
- Are we balancing our interests against those of our customers, employees, or other people we process data about?
- What is our tolerance for getting it wrong and being able to bounce back?
- Is what we are proposing to do an ethical use of this data? (Ethics are a quality system for behaviour)
The third question of “Does this meet the minimum legal requirements of the legislation?” is important, from the point of view of architecting and aligning the Business, Information, and Technology capabilities of your organisation (be it a corner shop or a global conglomerate). However, it is secondary to the questions of Quality and Ethics, which are tied so closely to the need to understand the expectations your customers have of the Information and Process outcomes that will arise from the processing of their data.
The legislative evolution of Data Privacy laws is an interesting academic topic. The alignment of legislation with fundamental rights and fundamental principles is a compelling melting pot of legal debate. However, the expectation of your customers, employees, and suppliers about how their data can and will be processed represent a set of choices of an ethical and qualitative nature that each organisation needs to take for itself.
You can chose to do the bare minimum to “tick the box” of compliance. That will deliver you a tasty McCompliance experience today. However, your customers, and ethical conduct expectations they have of your processing of their data, may tend more towards something that leaves a better taste in the mouth.
By adopting a Quality Systems approach, with a strategic perspective on Privacy as a key resulting outcome that Data Subjects expect and deserve, organisations can engineer a better delivery system for that fundamental value that can put proven pricniples and practices from a variety of discipline to work to meet or exceed Data Subject expectations.