Words matter - even when discussing "regulator priorities"
In this whole month of the GDPR anniversary, there has been intense scrutiny of “regulator priorities.”
Zwillgen says regulators will continue to focus on “marketing and advertising, data security and data breaches, data subject rights, and processing sensitive personal data and personal data of children.” Which doesn’t narrow it down much.
Lexology says, “This first wave of significant GDPR enforcement will provide valuable insight into regulators’ priorities for the coming years and their expectation of businesses, what level of fines can be expected going forward, and the mistakes others have made which can be learnt from.” I guess the first wave is still out to sea somewhere, but stay tuned. We’ll get those priorities shortly.
Law360 says, “key questions about regulators’ expectations and the price of noncompliance still linger.”
Funds Europe says, “As we approach the first birthday of the GDPR, Google’s example provides a reminder of the need to ensure continued compliance. As the enforcement priorities of regulators come into focus, the message to business is clear: watertight GDPR processes are crucial for avoiding fines in the future.” Really? Is there anything about the digital economy right now that says “watertight” to you?
Personally, I’ve found the regulators to be pretty forthcoming with their priorities. They have spoken pretty singularly about first doing audits of major product categories, looking for egregious violations; creating a triage system to handle the slew of complaints coming into their offices; and focusing on guidance to help, especially, the small and medium-sized businesses they know have few privacy resources. And that’s what they’ve done.
People who are desperate for FINES really haven’t been paying attention.
Still, it’s nice when a regulator puts out a document that explicitly spells out its priorities, as the ICO has done with its “GDPR: One Year On” release. Therein, the ICO declares:
• We will respond swiftly and effectively to breaches, focusing on those involving highly sensitive information, adversely effecting large groups of individuals or those impacting vulnerable individuals.
• We will be effective, proportionate, dissuasive and consistent in our application of sanctions, targeting our most significant powers on organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.
• We will support compliance with the law, including sharing information in relation to and otherwise contributing to the promotion of good practice and providing advice on how to comply with all aspects of legislation.
• We will be proactive in identifying and mitigating new or emerging risks arising from technological and societal change.
• We will work with other regulators and interested parties constructively, at home and abroad, recognising the interconnected nature of the technological landscape in which we operate and the nature of data flows in the expanding digital economy.
There you go. Cut and dry, right? But then take a look at the blog post ICO Elizabeth Denham posted to introduce that big report:
The focus for the second year of the GDPR must be beyond baseline compliance - organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.
Excuse me? What obligation does an organization have to go “beyond baseline compliance”? Does the ICO have some kind of enforcement powers that go beyond the GDPR’s mandate? Of course not. Which is why talking about “beyond baseline compliance” might be terribly confusing for some organizations.
Is there a way to be “baseline compliant” without being “actually compliant”? Is accountability some kind of “compliance plus”? Of course not. Accountability is mandated by the GDPR. Right there in Article 5: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Was the ICO not expecting accountability in year one? But now is?
Compliance is sort of a binary thing. You either are or you aren’t. Which is why so many sophisticated privacy professionals - one fifth! - declared they would never be compliant with the GDPR in the most recent EY-IAPP Governance Report. It’s so complicated, and data so slippery, and technology so dynamic, that it’s simply not possible.
And the ICO declared very strongly that there would be no grace period. But I guess there was?
This kind of ambiguity on the regulator’s part isn’t helpful. Most organizations are just trying to figure out what they’re supposed to do, and mixed signals just create inefficiency that takes the focus away from actually doing the work of privacy, which is (theoretically) protecting the human rights of actual people.
Of course, what do I know. At least one leading privacy lawyer in England thinks that statement clears things up:
Why does it matter?
I think there is an open question as to why organizations should care so much about regulatory priorities anyway. It’s an interesting corollary to the old “nothing to hide” argument, right? If you’re not breaking the law, why do you care what the regulators are prioritizing? I think the reasons organizations care breaks into three main categories:
1 - What really gets you pulled over? This is the calculation we all make on the highway just about every day. It speaks to human ideas of fairness. Obviously, no one is getting pulled over at one MPH over the speed limit (I’m American, so speak in “miles per hour,” but you Europeans and others should get the idea), so why should I drive the speed limit? I’m going to go about 10 MPH over, generally, just like everyone else, and therefore I’m not going to get pulled over by the cops. I know they’re looking for people doing about 15 MPH over the limit, people swerving around, people knocking into each other, etc. I’m good to just keep going on my merry way.
By learning about regulator priorities, organizations learn what the effective speed limit is. This is basic risk assessment, and I don’t think it’s necessarily nefarious.
Of course, speeding doesn’t violate someone’s human rights, now does it? But let’s just put that to the side for a bit.
2 - Triage. We know from things like the IAPP-EY Governance Report that at least 20 percent of organizations don’t think they’ll EVER be GDPR compliant. It’s just too difficult, complex, confounding, impossible. Therefore, these organizations want to know where the regulators are turning their focus so they can similarly turn their focus there and at least show they’re making an honest effort in those areas.
I think from a public policy point of view, this would speak to a failure of a regulation. If it can’t really be complied with, it’s not good policy. But I think we need to give it some time to see if those 20 percent are just bad at their jobs, constitutionally pessimistic, or simply deeply cynical. Regardless, I think this is a good reason for regulators to put out priorities language, as it at least gets these sorts of companies to focus on what regulators believe to be the most egregious offenses and get people to try to tackle them.
3 - Truly nefarious organizations. At least some organizations are actively trying to get away with stuff, to stuff as much money in their pockets as possible by violating the GDPR before anyone notices. At which point they move on to something else. These are the Cambridge Analytica types, who do bad stuff, then close up shop and hope no one finds them.
Bad people will do bad things. I don’t really think there’s a way to stop that, and I certainly don’t think regulators should hide their intentions to avoid helping people like this. Let’s just say these people don’t factor.
I think the vast majority of companies fall into category #1. They know they’re not 100 percent compliant, and don’t really care to spend all the money and resources to get to 100 percent compliance, but they monitor what the speed limit is and they make sure they don’t go too far over. Thus, ambiguity by the regulator can cause real consternation: Wait, you’re pulling people over for going 7MPH over the limit now!?!
And I think that’s basically what the ICO just did with Denham’s “beyond baseline compliance” comment. Even though there wasn’t a grace period, there was.