Support your Local Sheriff–why the DPC needs us to help them help us.

Problem Statement

The Irish Government is tripping over itself to win FDI from the new ‘Big Data’ enterprises. Whether it is promoting Ireland as a perfect location for Data Centres (it is, apparently we’re in a temperate Goldilocks zone) or chasing flagship investments in European headquarters for companies such as LinkedIn, Facebook, Zynga Games, Twitter, not to mention the pursuit of “home grown” ‘Big Data’ firms or the development of long term residents like Apple or Amazon from ‘box packers’ or call centres to foot prints of ‘Big Data’ behemoths, the Government can’t help itself.

And why would it. These organisations bring needed jobs, needed credibility to the Irish Economy, and much needed positive headlines for beleaguered politicians.

Of course there is a catch. A small problem. Actually two small problems.Well actually one problem but one that is so small but so significant that it is worth mentioning twice:

Our Data Protection Commissioner is chronically understaffed and, in my view, may lack skills and experience necessary to engage with and properly enforce EU Data Protection regulations.

If the Government is viewing “Data” and its related services as the “New Finance” they are showing precious little evidence of having learned from the failures of the past and I increasingly believe we are facing a scenario where either

  1. A major Data Protection scandal sweeps across big name players in Ireland and the DPC is wholly overwhelmed and cannot respond appropriately.
  2. Once new EU Data Protection Regulations are in place, we find ourselves in the eye of a major Data Protection issue and the Irish DPC finds himself with no option but to cede responsibility for the investigation and enforcement to another EU Data Protection Authority under the enhanced co-operation protocols in the revised Data Protection Directive.


Exposition

The recent problems in Ulster Bank should underpin the significant importance to people and to the economy of data. While the actual root cause of that issue remains to be confirmed, it is a salutary lesson as to how easily problems with management of data in organisations can snowball into direct impacts on the real lives of real people. And in that context it must be remembered that the Data Protection Acts and the principles they set out are about more than just the security of data, they govern how data is obtained, the uses it can be put to, and the rights of individuals to have access to that data and have errors corrected (amongst other things).

Quite apart from the Doomsday scenario, my personal experience dealing with the DPC’s office is that they are all extremely diligent, hard working, and motivated staff but it is clear that what ever slack there was in the system has been exhausted. The Facebook audits alone are consuming 25% of the resources of the Department. This can only lead to delays and bottlenecks in other areas. And absence of slack in any system means it is ill equipped to deal with other shocks. Like loss of staff, increase in volume of throughput, unusual scenarios that require engagement and investigation, or the resource requirements of large scale audits and investigations.

The ODPC, it must be stressed, are doing the best job they can with the resources they have. It is just that historically the resources they have been provided with are insufficient for the task. And this will get worse as the world of information management continues to churn out new possibilities for processing at a rate approximating to Moores Law. Looking back ten years:

Even within the past five years, these tools have grown from being niche tools finding their feet to being multi-billion dollar valued companies that generate revenue entirely off the data that is provided to them by users or generated by user interactions with user populations measured in the millions, and daily interactions that are in the billions.

And they have investors on board now who are there to maximise their return on capital invested and then cash out. Which means that the “product” (the customer) needs to be monetised in new and interesting ways, which emerging technologies such as Hadoop ( a framework for processing large volumes of data quickly and efficiently. Which is used extensively by Yahoo! amongst others) make easier, cheaper, and less overtly visible.

It is telling a recent report from the UK’s surveillance watchdog (the Chief Surveillance Commissioner) has highlighted concerns that the UK intelligence services are now increasingly bypassing the regulatory controls on covert surveillance

It is his job to monitor such activities which are covered by the Regulation of Investigatory Powers Act 2000 (RIPA). But the police and other authorities are abandoning the practice of such covert "directed surveillance" of individuals, Rose suggests, because they can gather more and more personal information differently. They can do so through "overt" investigations simply by trawling through material readily available on the internet, through social media for example, and not be subjected to any RIPA controls. (source: The Guardian)

Data is valuable, and can be value, but the DPC appears not to be

And if the intelligence services are doing things like this, it is inevitable that the private sector is doing this as well. Only marketing firms call it “sentiment analysis”. Twitter’s recent deal with analytics firm DataSift (which has given an analytics firm access to more data from your personal timeline on twitter then you can actually see yourself) highlights the potential power of these tools. According to DataSift, Twitter values your tweets at $0.10 per 1000 messages. That’s a lot of cat photographs.

And the Irish Data Protection Commissioner has an active role and responsibility in policing all of them, either because the companies have contracted that way with their users (Facebook) or because they have based their EU headquarters in Ireland (all the others).

But the DPC has had its budget consistently cut over the past few years. And it would appear that the Irish Courts systems doesn’t actually grasp the value and impact of personal data and the importance of the Data Protection Acts. And the Office appears to be viewed dismissively by other areas of Government.

The Courts

The Irish DPC has to bring cases to Court for fines to be levied under the current legislation. The problem is that the Court tends to accept sample charges and almost invariably allocates less than the statutory fine allowable. So organisations immediately engage in cost/benefit trade offs on breaches (I wrote about the psychology of this here).

DPC Budget:

The Irish Data Protection Commissioner operates with a TOTAL staff of 22 people. Their operating budget last year was €1.5 million euros. This has lead to reticence on the part of the DPC to get involved in cases that they should have been involved in (EMI v Eircom on the three strikes system is one). This was actually commented on in a recent High Court ruling where EMI was seeking a judicial review of the Data Protection Commissioner’s enforcement notice to Eircom stopping the Three Strikes process.

Basically, concern about costs has tied the DPC’s hands at times when a robust investment in challenging or defending the principles in the Data Protection Directive and the Data Protection Acts might have given a different (and possibly better) outcome.

Add to this the fact that the DPC was reliant on UCD to provide pro bono resources to assist in the technical audit of Facebook last year and the image of a national Regulator responsible for policing an increasingly complex and challenging area that spans multiple industry sectors and all industry sizes hampered in the execution of its responsibilities under the Lisbon Treaty, and the various Data Protection directives by its budget and resources.

That said, I would argue that the DPC is a model for process-focussed efficiency in the Public Sector as they have worked inventively to maintain services as best they can in the face of budget cuts and increasing workload.

But the slack isn’t there anymore and the DPC will fail if it is not addressed.

The Attitude Test

The first half of this year has highlighted an apparent lack of engagement on the part of the Civil and Public service with the Office of the Data Protection Commissioner. Policies proposals and data sharing across government agencies being announcements in the media being the first the DPC hears of them are indicative of a culture of absent awareness (i.e. people didn’t know they needed to check with the DPC) or active ignorance (i.e. they did consider it but didn’t think it important enough).

This suggests that the culture in some senior areas of the Civil Service and Government does not appreciate the value of the Office of the Data Protection Commissioner. Which is decidedly unfortunate.

Comparing to Financial Services

Given that the Government appears to be adopting a strategy of treating Data and Data-driven businesses as a modern Financial Services it is worth comparing the DPC to the Financial Services Regulator.

A quick look at the Financial Services Regulator organisation chart on the Central Bank website tells me that, as of this year, the Financial Services Regulator has 54 staff positions at Deputy Director or above.

So… 54 Chiefs or deputy chiefs. Even before we begin to speculate about the number of direct reports that each of these people have reporting to them, the Financial Services Regulator has 145% more staff than the Data Protection Commissioner.

If we assume that each of those staff are earning an average of €50000 per annum, the pay costs alone for the Financial Services Regulator are almost double the TOTAL BUDGET of the Data Protection Commissioner.

I had tried to develop an ‘organogram’ for the DPC office based on the organisation chart they have on their website but, frankly, the level of double jobbing and triple jobbing that is admitted to on the DPC website would have required a diagram worthy of Spiderman so I didn’t bother.

Of course, the Financial Services Regulator wasn’t always as robustly resourced. There was a period, in the not so distant past, where the Financial Services Regulator was a toothless tiger which struggled to enforce legislation and governance across the Financial services sector, while at the same time the Government actively promoted Ireland as an investment destination for global Financial Services companies and boasted about the size and scale of Irish banks on the world stage.

That ended well didn’t it.

In the aftermath of the Honohan report the Government increased the resourcing of the Regulator and gave it teeth. The fact that the Honohan Report contains a section header:

Section 4: Enforcement

– The Status Quo: Walk Softly and carry no stick…………….55

Which, it could be said,  describes situation the Data Protection Commissioner finds itself in currently.

Things will get worse if action is not taken NOW

A few key factors need to be recognised:

  • ‘Big Data’ is here to stay.
  • The revised Data Protection Regulation will increase the workload on the Data Protection Commissioner.
  • Ireland is an attractive location for ‘data-intensive’ companies for a variety of reasons other than our emaciated Regulator and Government strategy is to attract exactly these types of firms and to grow indigenous “cloud computing” services.
  • There is more to managing Data Protection to understanding the legislation. If Data Protection Officers (and consultants) need to understand process mapping, data quality, data governance, technical aspects of data, etc. etc., then the Regulator needs to have access to similar skills.
  • The ‘slack’ that the DPC may have had historically has been ripped out due to increasing workloads and reduced head count. It is no longer sustainable.

Those who do not learn the lessons of the past are doomed to repeat them. However our Government appears not to be learning the lessons of the past. Regulation of the processing of personal data extends far beyond one or two industries. A significant failure on the part of the Irish Government in this context could be catastrophic for our international reputation and our economy.

My personal view is that there is a clock ticking on the effectiveness and efficiency of our Data Protection reputation. A significant issue will arise and our DPC will be found wanting.

Unless the Government wakes up to the fact that we have a weakened sheriff struggling to enforce law and order in a rapidly evolving Wild West of data.

It’s time to Support our Local Sheriff.

Posted in Business, Data Protection, Politics & Culture and tagged , , , .

2 Comments

  1. has the DPC itself explained why it didn’t follow through on the 3 strikes thing? when they do…

    • The DPC has explained. They issued an Enforcement notice against eircom. They declined to be listed as a notice party to the litigation by EMI against eircom on the grounds of cost. This was explained to Mr Justice Charleton in their submissions to the Judicial Review taken by EMI against the DPC’s enforcement notice against eircom.
      Read through Charleton’s judgement – in fact his comments about the DPC not being able to take part in litigation relevant to its function on grounds of cost even made it into the MetroHerald.

Comments are closed.