The full list of ministerial and junior ministerial appointments is how complete and the government of Ireland can move on with the juggling of departmental structures (i.e. people, physical assets and equipment, data, data governance measures etc.)
— Gavan Reilly (@gavreilly) July 1, 2020
Despite the high profile given to Data Protection in the Programme for Government announced a few short weeks ago, the “tone at the top” at this point is not consistent. In a carve up of roles in which the Government parties had a number of parties to satisfy with positions of import in the affairs of the State, the Junior Ministry for Data Protection, first introduced in 2014 by the Fine Gael/Labour coalition (a decision which placed Ireland in the lead of EU Member States in recognising this as a distinct porfolio) , has apparently been taken quietly around the back of Leinster House and dealt with in the manner of a lame greyhound. The humane euthanizing of the portfolio comes after a period when it had gone from a significant portion of the portfolio of the Junior Minister for European Affairs and Data Protection (spanning two Departments, Taoiseach’s and Foreign Affairs) to one of the many elements of the portfolio of the Junior Minister for (takes a breath) Trade, Employment, Business,
EU Digital Single Market, and Data Protection.
So, there is now a policy disconnect in Government where the Programme for Government says things like:
- The government “will support the Digital Single Market and support high standards in Data Protection”; and
- “We recognise the domestic and international importance of data protection in Ireland. We will support the Data Protection Commission, to ensure that Ireland delivers on its responsibilities under the General Data Protection Regulation (GDPR).”,
but we lack any ministerial portfolio that has a specific focus on these issues. So, no mechanism for execution of the “tone at the top”. Indeed, the signal that is sent by this is that the Irish Government has decided to stop giving a shit about Data Protection as a policy issue, despite what the nice words in the Programme for Government say. Perhaps we should take solace that this greyhound has been put down humanely and not left to limp around as the misshapen protuberance of some Frankenstein portfolio until it faded away (which seemed to be the approach in 2017).
More worryingly, the DPC has gone from having a Minister with clear responsibility for policy decisions in this area (even if they might not have been fully aware at all times that that was a thing they were responsible for) and a potential voice contributing to Cabinet discussions on the role of Data Protection in government policy and action, to having no single stakeholder with political skin in the data protection regulation game. The signal this sends is this: Data Protection is not an issue that government or public sector bodies should worry about because it is not considered important enough now to even be blue-tacked onto a Ministry of State as an afterthought.
Given the problems the new Taoiseach has had finding jobs for all the people who felt they were entitled to or deserving of jobs, this is doubly concerning. Personally, I think that a competent political operator like Dara Calleary would possibly have added some weight to a Data Protection portfolio, particularly as it spans and touches on every single other portfolio in government.
The coming weeks and months will see the dynamic of data protection in Ireland shake out. The DPC has a number of GDPR enforcement actions underway against Public Sector bodies (the recent cases against Tusla are the beginning, not the end), new Ministers will face choices about fighting court cases appealing decisions of the DPC in other cases, and some of the practicalities of a DPC that is split across multiple locations (in Dublin alone), that Covid lockdown allowed to be long fingered, will need to be addressed. Add to this the increased cadence of cases against multinationals which is promised (and expected) in the latter half of the year and the Government’s ‘Programme for government-thin’ commitment to Data Protection will inevitably be tested.
All this against a backdrop of the DPC having received a lower budget than they required in Budget 2020 and budgets across the board likely to come under pressure in Budget 2021, and the EU Commission tries to figure out how to address the systemic funding and resourcing issues for Supervisory Authorities across the EU.
The “teachable moment” for organisations that aren’t governments is this:
- You can put as many nice words in your policy documents and vision statements as you like, but if you do not clearly assign responsibility and accountability for execution and delivery on those promises, they are just vapour.
- In any strategic plan or strategic change, if there is a disconnect between the tone at the top and the mechanisms for execution, the bits that don’t have a linkage will get deprioritised in practice. In a regulatory and governance context, it’s tempting to think (hope) people won’t break the law when executing the goals of the organisation. But they can and do, either through errors of omission, neglect, or outright intent.
- When crafting a strategy for data in an organisation, it’s important to remember that what you take away is often as important (if not more important) than what you leave or add. And if you add values or objectives to the vision statement while taking away a focus point in your leadership team on those issues, that act will resonate louder than the words.
So, if your organisation has appointed a Data Protection Officer (DPO), has implemented a Data Governance Programme, or has started tackling data quality issues and you are faced with a decision to fire your DPO, downsize your DG function, or stop investing in data quality, consider the signal that that sends across the organisation about importance of those things relative to other priorities and the impact that might have on overall success in your objectives.
I’ll leave the final word to Joseph Juran (replace “quality” for “data protection” or whatever goal you are pursuing that constitutes a measure of quality in your organisation):