It feels as if we are approaching a key junction. On the one hand, we have ever more legislation across the world that tries to protect our personal data from misuse and provide us with more control. On the other, technology and society continue to advance in ways that are entirely dependent on collecting more of that data, in more depth, in more ways, more of the time.
We are conflicted: we want the convenience enabled by use of our data; we want the novel technologies, especially medical, powered by analysis of our data; and we’re usually happy to accept the discounts offered to us in exchange for our data by supermarkets and the like. Yet we fear the consequences of sharing our data; we still value privacy in its original medieval sense of not being overlooked; and we recognise the risks from fraud.
Governments are conflicted: they like the greater insight and control granted by data analysis and surveillance; they recognise that e-government offers a better experience for most service users while saving public money; and they very much seek the economic benefits of the ongoing technological revolution. Yet they fear the possible power of AI; they appreciate the risks to rights and freedoms that arise from unfettered data collection in the private sector; and they worry about the strategic vulnerabilities of a data-dependent society.
How do we square these circles and reconcile these conflicting desires? How do we protect the public but enable the economy? Where is the line between personal responsibility and state intervention?
The response so far has been in search of protection and control inconsistently to layer legislation upon legislation, some of it impractical, some of it conflicting, much of it selectively enforced. In the same breath, governments also compete to attract technology firms by enabling access to data, relaxing regulation and offering various forms of subsidy.
Data protection officers and their teams, privacy lawyers and consulting firms like Securys are caught in the middle, trying to pick a path through the legislative thicket that enables our customers to do business and grow while protecting their customers, employees and suppliers from harm. In so doing we run several risks, including becoming too legalistic and focused on detailed wording; being too evangelical about privacy and as a consequence being seen by the business as an obstacle rather than an asset; and spending too much time documenting what is done and not enough engaging with what should be.
As a profession, we must get above the thicket and see the wood, not the trees. Our job is to ensure that fundamental human rights are respected in the relationships between individuals and organisations. We should remain especially alert to situations where the balance of power between individual and organisation creates a power asymmetry in the exchange and use of personal data.
We must remember that in many cases the individual – customer, employee, client, patient, student, beneficiary, service user – wants their product or service to be informed by their data. You can’t have a personalised experience without sharing personal data, but that doesn’t mean you should lose control of that data nor that you should accept unfair treatment or exploitation. We are advocates for and representatives of people, working on their behalf to balance their service experience and their rights; we also have to recognise the wider interests of society as well as those of the individual.
We must be pragmatic. We must often compromise and accept risk. We must focus on fidelity to the key principles of data protection: lawfulness, transparency, fairness, limitation of purpose, minimisation, accuracy, retention and confidentiality. The ever-multiplying panoply of laws is merely a means to that end, not an end in itself. To make this work we must collaborate with regulators to understand and inform their enforcement priorities, and to remind them of the gap between legal nicety and real business practice.
Regulators alone can never deliver what is needed either by society or by individuals. Our profession must hold its members and their organisations to account, standing independently between business and regulator, answerable to both on behalf of the data subject and bound by its own ethics and responsibilities.
Securys has enshrined this approach into our Privacy Made Practical® programme. Our Privacy Operating Model provides a framework within which data protection is managed on a risk-prioritised basis with operational privacy support embedded throughout the organisation, with oversight, audit and accountability delivered through a clearly defined governance function. We serve both business and individual, acting always to balance the many competing demands of both and to help our clients win, strengthen and retain the trust of all of their stakeholders.
