In this life you get what you pay for

Data protection has been in the news a lot in the past months.  There has been the Irish government’s continuing debacle with the public service card, the removal of bins from the GPO on the grounds of protecting discarded data and the removal of the visitors books from sites owned by the Office of Public Works.

All of these stories seem to point to an undeveloped market where the purchasers of professional advice did not seem to question the quality of this advice in the face of common sense. Due diligence on the competence of your advisors is always recommended, because if you’re told only what you want to hear and refuse to consider the actual risks you are accepting, the result (in the cases mentioned above anyway) is an eggy face.

Sometimes an advisor’s greatest strength is pragmatism.

This is hardly surprising when one considers the main ways for government to access specialist advice is through poorly remunerated internal resources or lowest cost purchased external help.  It is hardly a secret, since it appears in job adverts, that the average government departmental DPO is paid less than half of their counterpart in private industry, although most government departments are responsible for more considerably more data and therefore risk that any private company.  Add to this a requirement for saving money and you end up with a race to the bottom where due diligence is ignored, and quality is only a nice to have in the drive for the lowest cost solution.

The optics right now are that we have a public service culture that apparently believes government is not required to follow the law and that senior civil servants can dismiss DPOs that disagree with them.

By appealing the decision of the Data Commission through the courts, the Irish government is pushing an agenda that they are above the law and absolve themselves from the scrutiny and sanctions applied to those other organisations owned by mere citizens. This would seem to be a policy that the Irish government makes law for others, not for itself, a pattern of behavior that unfortunately has become commonplace in other jurisdictions.  Of course it leads to a further spending of public money that could result in job losses for cabinet ministers and departmental secretary generals. If I was any of these parties, I would be making a check on the consequences to my pension entitlement of being found to have acted unlawfully and in contravention of regulation it itself introduced.

Beyond government, the well of imprudence still overfloweth.  As the publicity surrounding the new regulations has faded, I am seeing organisations that have replaced a full time DPO with a part-time less qualified resource on less than half the salary.  I hear of other organisations using intern resources as their main data protection function. A fantastic cost saving in salary, but for an organisation that is carrying a data protection liability of more than €1m probably a very short-sighted saving.  Because people seldom ask or think about the actual liability.  They may know the cost of their data protection regime but it is seldom put against the risk.  An outsourced expert DPIA contract at €25,000 pa may look expensive at the outset but it looks rather less pricey when you understand that the firm’s potential fine liability under GDPR is multiple times this, and a fortnightly monitoring and control of risk becomes a prudent practice.

The price of inconvenience

The point is that we have not seen the regulators inflict any real pain yet and until they do, the updated law will remain a “nuisance” in public and private enterprise, rather than a “real”, enforced law.  There is a way to go before it is treated with the same respect as financial and corporate enforcement. The next months will see a rush of enforcement action from the data protection regulators so we can expect to see some blistering headline numbers and the much more inconvenient and organisation-breaking consequences of regulators’ other enforcement powers, namely database deletion and cease processing notices.  We may also expect to see million quid fines on every government department that has ignored the Irish regulator’s instruction to cease using public service cards, but no doubt the Minister of Public Expenditure will  make good on his promise to pay the fines for all!