Data Protection - Objectives or Outcomes?

This blog post is part of our Essential Guide: Essential guide to the EU General Data Protection Regulation (GDPR)

One of the greatest challenges faced by Privacy and Data Protection professionals is demonstrating that their organisations have complied with the requirements of the various laws governing the handling of personal data. The freshly revised BS10012 can help organisations to meet their privacy management obligations.

The EU Data Protection Directive (1995) has created a legislative landscape whereby each EU Member State has implemented local data protection laws that reflect their interpretation of the Directive and their local cultural and commercial sensitivities (Germany, for example, has famously rigorous data protection laws; Spain’s data protection act mandates the complexity of passwords). Member States have then applied their own regulatory approach, so that countries such as the UK and Ireland are perceived as traditionally having a relaxed, hands-off approach to enforcement, whereas France and Germany are quick to apply tough penalties for data protection infringements.

Then we have the added complexity of international data protection laws, and how organisations in EU Member States interact with other countries, in particular the US, which has a sectoral approach to privacy. Personal data cannot be transferred out of the EU to other countries unless suitable legal safeguards are in place, which can be achieved through a number of ways; a decision of ‘adequacy’ from the EC’s Article 29 Working Party to confirm that the destination country has suitable data protection laws and enforcement; ‘model clauses’ to which all parties subscribe to bring processing under the remit of EU laws and EU courts; ‘binding corporate rules’ which provide similar controls but permit them to be tailored to fit the specific relationship; or ‘explicit consent’ from the data subject to the transfer and processing (something which is much harder to achieve and manage than might be first thought). In the case of US transfers, organisations can also use the US-EU Privacy Shield, a legal framework to which organisations can subscribed to achieve similar outcomes.

But amidst this complexity there is an underlying challenge that none of these legal mechanisms helps to address: how should organsiations deliver the desired outcomes mandated in these laws?

Our problem is the contextual, changing and culturally sensitive nature of privacy. What works in one organisation does not necessarily work in the next; controls that might be appropriate in one country could hinder normal business operations in another; personal data processing that is considered intrusive on one continent might be of no consequence to individuals in another. In this context, laws that stipulate the detailed control objectives in organisations would be inappropriate, since the controls would in all likelihood be wrong in almost any situation (perhaps the most extreme example of this was the ill-fated Identity Cards Act which mandated the architecture for the system). The new General Data Protection Regulation (GDPR)does include some control objectives, such as the requirement for a data protection officer or use of data protection impact assessments, and it remains to be seen how successfully organisations can respond to these demands.

That’s why the British Standards Institute’s freshly rewritten BS10012 Data protection – Specification for a personal information management system is a welcome development. The original publication was arguably too high-level to be of much use as an implementation tool, but the fresh version, which is now open for consultation, provides a much more consistent, measurable way to implement the requirements of the GDPR by providing control objectives for data protection management, rather than relying on outcomes alone. It’s by no means a panacea for privacy management, but the approach specifies the organisational needs, leadership, planning, support, operational requirements, evaluation and improvements needed to implement, maintain and improve a personal information management system that is fit for purpose. The draft is open for comments until 7 November 2016, and I would urge you to take the time to read and comment.

Declaration of interest: I volunteer on the British Standards Institute’s IDT/001/0-/04 Data Protection committee.