Blog

  • The curious case of Enda and the Technology

    Enda Kenny found himself slightly ambushed on the news last night (6-One News on RTE) by Bryan Dobson. At the end of a segment about the trials and tribulations of Brian Cowen, Enda was asked about the problems that have befallen the FG website.

    Enda’s response was telling on a number of fronts.

    1. He indicated that the FG site had been implemented because he’d been impressed by a to the European People’s Party (Maman Poulet wrote about that a while ago).
    2. He indicated that they were looking into moving the site to an Irish host.
    3. He stated that he was not competent in the technology
    4. He stressed that “40 young people” were being trained in these new technologies in FG HQ, which would add to their CVs.

    The Obsession

    In short… FG are focusing on the technology. This is exactly the point I was trying to make in my first post about the need to set “the tone at the top” and ensure that the values expressed in that tone cascade down the organisation and are expressed and executed through effective governance.

    By focusing on the technology rather than the effective governance of the information (in a way that would support their objectives and their brand), it seems FG have got tunnel vision on a particular technology and missed the point completely.

    Indeed, back in 1999, Peter Drucker wrote that:

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.

    The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    FG may have had a purpose (to listen, and to build a mailing list) but they don’t appear to have considered what it means to gather personal data, particularly SENSITIVE personal data.

    In this context, Enda and the leadership of FG are not being asked to suddenly become PhD level experts in all aspects of Information Security and Web design. What they are expected to do is apply reasonable levels of due diligence to ensure compliance with the law of the land and the standard of care that is expected of organisations who process Sensitive Personal Data.

    Organisations like, for example, the Civil Service, who have produced very clear guidelines on the processing of personal data and the standards of care that must be exercised. Those guidelines are very explicit in a number of sections about the importance of encrypting sensitive data when it is being transferred. For example, in relation to transfer of personal data by email the guidelines say:

    1. Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient.

    So, if FG become the leaders of the next Government, will it be a case of the Executive arm telling the Civil Service “Do as we say, don’t do as we do?”

    That is what I mean by SETTING THE TONE FROM THE TOP.

    Given the comments in the Evening Herald yesterday, apparently from the hackers who attacked the FG website, that the web-designers who built the FG website had left various passwords set to their defaults, my attention is drawn to the comments in the Civil Service Guidance Notice in relation to passwords.

    In the context of mobile devices (like phones), the Guidance explicitly states that

    Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.

    So, default settings aren’t allowed for security reasons in the Civil Service on devices as common place as mobile phones. In relation to databases and other devices, the guidance says:

    Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks.

    A reasonable implication here is “don’t leave it at the default settings”.

    If it is good enough for the Civil Service, why not good enough for Fine Gael?

    The Training

    Enda tried to make a big noise about the “40 young people” who were getting training in the technology. It is very far-reaching to teach young people (how old are they?) how to use Social Networks and Twitter.

    What would be more far reaching would be to ensure that all levels of the FG organisation received appropriate training in Data Protection principles and practice and rather than instill a technocratic focus in the culture of the organisation that FG began the process of inculcating a info-centric culture that put the meaning, purpose, and value, of Information at the heart of their strategy.

    That info-centric culture would need to extend beyond flashy websites to the mundane matters of organisational governance, control, and accountability for information that the Party organisation processes, whether it is on the web, by email, or on paper.

    A beneficial by-product

    A by-product of such a culture change (and it would need to be an actual change, not just more banal lip-service) might be that we would get, perhaps for the first time, the articulation of what a “Knowledge Economy”  might actually be, expressed in terms that might echo the sentiments of Peter Drucker over a decade ago, that wouldn’t descend into babbling and burbling about technologies which, by his own admission, Enda isn’t competent to talk about.

  • Fine Gael’s website: some thoughts

    It looks like there’s been some rework done on the FG website to address Data Protection concerns.

    This good and is to be commended. It is also in line with how the Data Protection Commissioner works with organisations who have compliance issues.  However, issues did exist prior to yesterday which will continue to present challenges to FG regarding their compliance with the Data Protection Acts.

    Here’s a screen shot I took yesterday

    finegael 2011 screenshot 7th Jan 2011
    Screenshot of FG website on 7th January

    It is a bit small to read in the image, but the tick boxes on the site (after you submit your personal data) have the following text beside them:

    • I agree to receive campaign messages on my mobile telephone
    • I agree to share my comments on the website.

    So, if you posted a comment prior to yesterday, the only communication you could provide any consent to was an SMS. If you found you had been added to a mailing list the data had not been fairly obtained (you didn’t know you were going to be getting emails) and any processing of your personal data to send you an email is technically a breach of  S.2 of the Data Protection Acts.

    Given that a number of people apparently complained to the Data Protection Commissioner about getting unsolicited emails when they had posted comments the website is changed as of this morning with a very subtle edit to the wording of the text next to the first tick box…

    I agree to receive campaign messages from Fine Gael.

    … is what your choice is now when you post your comment. That is a broader statement that does now permit FG to email you (and potentially SMS you as well) with their campaign messages if you don’t ensure that you uncheck the box. Please note that this is an OPT OUT of their mailing list, not an OPT IN.

    So, one compliance issue addressed. Of course, that leaves the question as to what they will do with the emails they captured prior to yesterday which cannot be used as it is unclear if the person has opted in or out of the use of their email address for campaign mailings. This is one of those areas where Data Protection and Information Quality overlap – where the meaning of a flag in the database changes at a point in time and the interpretation of that flag can have significant regulatory and compliance impacts.

    I encountered this when running data migrations in a telco many years ago. The billing system had a flag “Junk Mail”, which allowed a “Yes” or a “No”. The problem was that there was no agreement on whether “Junk Mail =Y” meant people wanted junk mail or “Junk Mail = N” meant people wanted junk mail – the meaning of the value had been lost in the mist of time and the absence of formal documentation about the processes.

    Suggestion: FG should use the date stamp (that they hopefully have) in their database to exclude any email address created on their database prior to January 8th from any email messages… just to be on the safe side. And as they don’t have a use for that data (they can’t email people) they would  be required under the Data Protection Acts to get rid of it they can’t hold data for longer than they have a legitimate purpose for it.

    The Privacy Statement

    I’ve written a few times over on the company site about the need for Privacy Statements to actually reflect the reality of what is happening with personal data that you are obtaining and the balance that needs to be struck by Data Controllers.

    Fine Gael Privacy Statement Screenshot
    Screenshot of FG2011.com Privacy Statement

    FG finally got around to putting up a Privacy Statement on their website late in the day yesterday (check the image above… its’ not there in the morning when I took the screen grab). They copied the privacy statement from their old website, which was accessible yesterday (along with all their policies etc.) at http://finegael.org but appears to have gone away as the screenshot from today below shows. Perhaps their web sites have moved (for security reasons, as FG say in today’s Irish Times).

    Screenshot of finegael.org backup site as of 8th Jan 2011 14:14
    Finegael.org – Gone away?

    While they have a link and can tick the box about having a Privacy Statement, in my personal view they get 10 out 10 for effort, but fail the test of whether that Privacy Statement actually reflects what they are doing in reality.

    The first test is failed in the very first paragraph which says that

    Visitors can use most of the site without being personally identified by Fine Gael.

    OK. If by “Use” you mean “Sit and Read” then that is a correct statement. But if you want to engage with any of the primary functions of the site (like having your voice heard, telling them your opinions and complaints, all the good and wholesome stuff that Enda is inviting us to do) then you HAVE to provide them with personally identifying information. And in some cases that information can end up being quite granular. For example, if I was to put in my name and village I live in I would be uniquely identifiable as I’m the only person of that name in that village.

    The fact that the Privacy Statement doesn’t address many of the specific  points that the Data Protection Commissioner and the legislation actually require to be addressed in a Privacy Statement is another key issue.

    Compare the Fine Gael Privacy Statement (or Fianna Fail’s) to the equivalent statements on websites from UK political parties:

    The UK Greens (like their Irish counterparts) don’t have a Privacy Statement on their website.

    Given that FG have moved to new servers, with a website with new functionality and new purposes for personal data at the very least they should have reviewed their Privacy Statement to make sure it is still valid.

    Indeed, that type of regular review is a recommendation of the Data Protection Commissioner and is a requirement of the BS10012:2009 standard for Personal Information Management Systems.

    Suggestion: FG should review their Privacy Statement to make sure it actually matches what is actually going on. This should form part of their regular and on-going governance of data to ensure compliance.

    Some Thoughts

    Fine Gael seem to have made significant efforts in the past day or so to address a problem that earlier in the week they didn’t want to engage with. Indeed, up to yesterday morning they were telling TheJournal.ie that they “weren’t interested“. In that context, the steps that they have taken are a laudable effort.

    But if they had actually taken the time to plan and build their Data Protection obligations into their new processes and website and ensure that they were demonstrably in compliance with the legislation before launching their site then this story would never have existed for anyone to be interested in at all!

    The lesson that needs to be learned from the Fine Gael experience is that it is always far better to design privacy and data protection concerns into systems and processes rather than having to inspect out defects and errors. Just like with any quality process, if you don’t design quality in you will inevitably find yourself having to fire-fight issues in crisis mode, which means that you will almost always miss something else.

    Privacy by Design is a key concept in Data Protection circles. The fact that the Data Protection Acts create a Duty of Care, then care should be taken when embarking on the processing of personal data to ensure that you understand that Duty of Care and how to meet the associated Standard of Care.

    Not do so means you risk regulatory penalties, litigation (where there is damage suffered as a result of the breach of the Data Protection rules), and damage to your brand and commercial reputation. Regulatory penalties can be paid, court cases can be settled, but the media coverage and comment on your brand, particularly in the age of Twitter, blogging and Google will have a half-life all of its own.

    A lawyer friend of mine often tells people:

    There’s only one thing worse than being sued and losing, and that’s being sued and winning. Because no one will remember that you won! It’s always better to avoid being sued in the first place.

  • Red Herrings, Hosting, and Data Protection

    I’ve written a new post over on my business website that looks at some of the issues that have been raised by TheJournal.ie in an article today. I won’t rehash the whole thing here – please follow the link to read the full post on the other site.

    Suffice it to say, there is a big difference between compliance with EU legislation and taking business decisions based on patriotic motives or a desire to “buy Irish”.

    The fact that various parties have their sites hosted in the UK is not a compliance issue per se – the UK is still in the EU and has equivalent legislation to us based on the same root Directive. Norway is a member of the EEA and as such has legislation that is derived from the same Directive as underpins our Data Protection laws (I may be the only person in the country who has actually READ the Norwegian Data Protection Act… it’s very similar in intent and execution to our own law).

    A big issue is hosting personal data, including sensitive personal data outside the EU or EEA or other “Safe Country” without any apparent controls in place, such as using a Data Processor who is registered with Safe Harbor and ensuring you have a written contract in place.

    It is extremely wrong for anyone to claim that hosts don’t have to comply with the Data Protection legislation. They do. As Data Processors, their obligations are not as extensive as those owed by Data Controllers, but the relationship between the Data Controller and the Data Processor is critical to the end-to -end governance of Data Protection obligations.

  • Setting tone from the Top

    In the rush to adopt new technologies and new ways of working, particularly When an organisation embarks on a change to systems and processes it is often very easy to get caught up in the whirlwind of enthusiasm for the new technology and the promised benefits of new ways of working.

    Nearly 2 years ago I wrote a post on this blog about the adoption of US style internet campaigning and the use of Web2.0 in Irish politics from an information quality perspective. The scorecard wasn’t good from a data quality perspective. The strategy seemed to be “If Obama can get elected using this Internet thingy, then we need to copy what he did”. No attention seemed to have been paid to the simple fact that a “cut and paste” adoption of a pre-canned solution from elsewhere would not necessarily work.

    2 years on I would have thought that some lessons might have been learned. So when Fine Gael announced they’d “stood down” their finegael.ie website in favour of a more interactive presence in the run up to the election I thought I’d take a quick look. While the Information Quality issues with the form were not too bad, the structure and operation of the site raise a number of concerns from a Data Protection perspective.

    Bluntly – when a US election solution provider rolls up in Europe they will find that they literally ain’t in Kansas anymore, particularly with regards to what you must and must not do with regards to the capture and processing of personal data. Political parties buying these services need to be aware that they are Data Controllers and that the solution providers are Data Processors in the context of the Data Protection Acts 1988 and 2003.

    Failure to set the “tone at the top” and cascade it through the organisation means that often the important questions are not asked (or the answers are ignored).

    Ultimately, in a Data Protection context, you are dealing with issues that can impact on your brand. If you are positioning yourself as being a political party that will “get tough” with vested interests through more effective regulation and enforcement you can’t really start the ball rolling by flouting basic principles of Data Protection law.

    Indeed, back as far as 2004 the Data Protection Commissioner wrote:

    It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law

    In 2009’s annual report the Commissioner also wrote that:

    Rapidly changing technology can be both a threat to this right and the means of protecting it. Building data protection safeguards into new technologies and applications of these technologies remains the best approach. This is as much true of data processing in the “cloud” as it is of a routine development of an IT application in an organisation.

    So… the issues? (more…)

  • Wordle me this

    Thanks to Jim Harris over at OCDQBlog.com I came across Wordle, which creates word clouds (like tag clouds) based on text content.

    Here’s a link to the Word Cloud for this blog. I think the theme of my personal blogging is clear from this image…

    Not a great post to start 2011, but there is more to come (oh yes…)

  • Dell Build Quality

    So, I’ve recently invested in a new laptop for work. I got it on Tuesday. Today I noticed that the “J” key on the keyboard had come loose. That’s after less than a week of average use in my home office. The laptop hasn’t been out on the road (yet) and as it is performing well I haven’t had to bash the keyboard in frustration at a 20 minute hang for no reason (like on my old laptop).

    It is probably an easy fix, but it does raise a question about the build quality on Dell laptops when one of the “home” keys for touch typing can come loose so easily.

    But it is just one key. Surely not a big thing? I suppose that is a valid view. But often quality and perception of quality hangs on how the small stuff works.

    • The hotel might be great, but there’s no coffee with the in-room tea and coffee facilities (I like to make a cup of very strong coffee first thing in the morning when travelling for work)
    • The flight might be fine, but the hot sandwich you wanted to order from the attendants wasn’t in stock
    • A broken keyboard stops you typing “jumping jeosophat”

    A while ago I wrote an article for the IAIDQ about the “long tail of risk”, or the long tail of quality. My basic premise in the article was that as you tackle the big issues of quality and risk in Information, the smaller issues become increasingly important, so there is increasing value to be found in the “long tail” of issues.

    That’s why “Zero Defects”, while in part a wonderful slogan, is in fact a valuable goal to set for Quality Management. Setting your sights lower means you are accepting inevitable mediocrity. Why do I say this? Well, simply because the common argument against zero defects is that it is unattainable as a goal (it’s not) and compromises need to be made (they often do). However, if you set your target at 99.9% defect free, you’ll still find compromises being made (“we’ll aim for 60% this quarter and increase again next quarter”) and fudges being introduced.

    I saw a great presentation a few weeks ago from a Clinical Quality lead from the UK NHS. He gave some great statistics as to what 99.999% quality means:

    • 6200 ATM errors per week in the UK
    • 18 fatal airline crashes per year, in the UK
    • 2 children given to the wrong parents every day, in the UK

    So. My faulty key might be one component out of 108 on the keyboard and many thousands in the laptop. But it being broken has soured my experience and reduced my perception of quality of the laptop as a whole. While it isn’t up there with a fatal airline crash, it does bug me.

    (As an aside, it’s interesting to note that Qantas are considering suing Rolls Royce for a minor defect in the engines of the A380 Airbus which lead to oil leakage and an engine fire. It’s only a small thing, but…)

  • New Data Protection post over on the company site

    I’ve just written a new article over on the company website about Director’s liability for data security breaches. An expert in the Sunday Business Post over the weekend was waving a big stick at Company Directors saying that they could become liable for prosecution for security breaches if Ireland transposes the Convention on Cybercrime into law.

    But this expert missed the important points of Section 29 of the Data Protection Acts 1988 and 2003 which create effectively a cascading liability for the  directors, officers, managers, and employees of an organisation that is processing personal data.

    Check out my post here:

  • Bruce Schneier on Privacy

    Via the Twitters I came across this absolutely brilliant video of Bruce Schneier talking about data privacy (that’s the American for Data Protection). Bruce makes some great points.

    One of the key points that overlaps between Data Protection and Information Quality is where he tells us that

    Data is the pollution problem of the Information Age.  It stays around, it has to dealt with and its secondary uses are what concerns us. Just as… … we look back at the the beginning of the previous century and sort of marvel at how the titans of industry in the rush to build the industrial age would ignore pollution, I think… … we will be judged by our grandchildren and great-grandchildren by how well we dealt with data, with individuals and their relationships to their data, in the information society.

    This echoes the Peter Drucker comment that I reference constantly in talks and with clients of my company where Drucker said that

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.  The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    Bruce raises a number of other great points, such as how as a species we haven’t adapted to what is technically possible and the complexity of control is the challenge for the individual, with younger people having to make increasingly complex and informed decisions about their privacy and what data they put where and why (back to meaning and purpose).

    I really like his points on the legal economics of Information and Data. In college I really enjoyed my “Economics of Law” courses and I tend to look at legalistic problems through an economic prism (after all, the law is just another balancing mechanism for human conduct). I like them so much I’m going to park my thoughts on them for another post.

    But, to return to Bruce’s point that Data is the pollution problem of the Information age, I believe that that statement is horribly true whether we consider data privacy/protection or Information Quality. How much of the crud data that clutters up organisations and sucks resources away from the bottom line is essentially the toxic slag of inefficient and “environmentally unfriendly” processes and business models? How much of that toxic waste is being buried and ignored rather than cleaned up or disposed of with care?

    Is Information Quality Management a “Green” industry flying under a different flag?

  • The Who/What/How and Why

    Data protection and Information Quality are linked in a number of ways. At one level, the EU Directive on Data Protection (95/46/EC) describes the underlying fundamental principles of Data Protection as “Principles for Data Quality”.
    While that is great pub quiz content, it helps to be able to make some more pragmatic and practical links as well.
    On a project a while ago, I was asked to help a client ensure that certain business processes they were putting in place with a partner organisation were data protection compliant. They’d been asked to do this by the partner organisation’s lawyers.
    I leaped into action, assuming that this would be an easy few days of billable. After all, all I needed to know was what data the partner organisation needed when and why to document some recommendations for my client on how to build a transparent and compliant set of policies and procedures for data protection.

    Unfortunately the partner organisation seemed to lack an understanding of the what’s, why’s, when’s, and how’s of their data. This was perplexing as, nice and all as a blank canvas is, sometimes you need to have a sense of the landscape to draw your conclusions against.
    The engagement I had from the partner organisation was focussed on their need to be able to take certain steps if certain circumstances came to pass. While the focus on the goal was commendable, it served to generate tunnel vision on the part of the partner that put a significantly valuable project at risk.
    Goals and objectives (why) are all well and good. But Knowledge Workers need to be able to link these to processes (how) and information needs (what). Deming famously said that if you can’t describe what you are doing as a process then you don’t know what you are doing. I’d go further and say that if you can’t identify the data and information you need to do what you are doing then you can’t be doing it- at least not without massively increased costs and risks (particularly of non-compliance with regulations).
    In the end I made some assumptions about the what’s and how’s of the partner organisation’s processes in order to meet the goal that they had focussed on so narrowly.
    That enabled me to map out an approach to data protection compliance based on a “minimum necessary” principle. And that got my client and their partner over the hump.
    But, from an information quality perspective, not being able to answer the why/why/how questions means you can’t set meaningful measures of “fitness for purpose”. If you don’t know what facts are needed you don’t know if information is missing. if you don’t know what use data will be put to you can’t possibly tell if it is accurate enough.

    So, both Data Protection and Information Quality require people to know the what/why/how questions about their information to allow any meaningful outcome to ensue. If you can’t answer those questions you simply cannot be doing business.
    To paraphrase Deming – we need to work on our processes, not their outcome.

  • John Gormley, Commercial motor tax, and Data Protection Penalties

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection blog. It has been republished here as it is my original work and I’m trying to get all my Data Protection musings in one place. Some links have been updated to point to different targets here and on my company’s website.

    I listened with interest this morning to the media coverage of how John Gormley was introducing a new tax on commercial vehicles. My interest was twofold. My wife used to work in the Motor Tax section of a local authority. She left there nearly 4 years ago. Even then drivers of light commercial vehicles had to sign a declaration that the vehicle was for commercial purposes and not for private use. Back then, she used to have private motorists trying to register their large 4x4s as commercial to avoid the higher rates of motor tax on private vehicles. And I’ve recently written about how penalties for breaches of legislation are the third lever the government has to help balance the books.

    So, the existence of a declaration form isn’t really anything new it seems. What is new is that the Minister is asking people to take it seriously and some penalty is now attached to making a false declaration. It may well be that the specifics of enforcement will be difficult, and it is likely that a blanket ban on “mixed use” will ever be 100% effective. But it does show that the Government are seeking to maximise the income they can generate from existing processes by increasing the enforcement and the penalties associated.  This is precisely the point I made in my last post on this blog when I wrote about how the introduction of penalties for breaches of the Data Protection Acts was probably inevitable, regardless of when the new Directive comes into being, simply by reason of the State needing to open as many sources of revenue as possible.

    Of course this “change” in the Motor Tax regime is, to an extent, unfair as commercial vehicle owners have gotten used to being able to drop the kids to school and use their vehicles on weekends for leisure purposes etc, enjoying all the benefits of private vehicle use on a fraction of the tax. The media response (particularly from the AA) has been to suggest that the Minister will drive people to buy second cars or is imposing a burden on small businesses. And that is unfair. Personally, I think a change to the motor tax regime where a “mixed use” category would be introduced might have merit.

    However, thinking back to my last post on this blog, would there be as much of an outcry if penalties for breaches of the Data Protection Acts were introduced? Bear in mind that the Commissioner operates on a conciliatory basis, seeking to promote Compliance, not punish non Compliance. Also bear in mind that breaches of the Data Protection Acts occur when Data Controllers fail to respect the Duty of Care that they owe to individuals to hold their personal data on trust and to respect their privacy.  I would suspect that, when penalties are introduced (I say “when” because it will happen either through domestic legislation or further alignment of EU frameworks through a revised Directive) they will be applied only where a Data Controller has failed to act, or acted with willful neglect of their duties under the legislation.

    Where currently the Commissioner can dangle the carrot of constructive engagement and guidance, in the future that will be supplemented by the big stick of fines or other penalties.

    I suspect that penalties that might be levied for breaches such as (for example) operating CCTV without adequate Fair Processing Notices would be quite small (at least initially), perhaps just enough to get the Data Controller to engage with the DPC. But persistent offending might lead to higher penalties

    In short – only the worst offenders will likely be penalised.

    So, the morning talk-radio interview might go:

    Data Controller: “These new penalties are a burden on us”

    Interviewer: “But they are just penalties for stuff you are supposed to be doing anyway to protect people’s privacy etc.”

    Data Controller: “But it’s a big cost to our business if we get a fine every time we do this”.

    Interviewer: “But you shouldn’t be doing it, and the fine is only imposed after the Commissioner tries to get you to correct your behaviour”

    Data Controller: “That’s not the point”

    Interviewer: “That is the point. If you want to avoid the penalty, stop playing fast and loose with people’s personal data”.

    And that’s the point…  while it may be unfair and burdensome in the land of soundbites to expect a small business owner to buy and run a second car or face a penalty for misusing a commercial vehicle, penalties under the Data Protection Acts would be avoidable simply by complying with the legislation.

    So long as you know the rules of the game, work on being compliant, and respect the Duty of Care you owe to your Data Subjects (all things a Data Controller should be doing anyway) there is no additional burden. As such, any increase in penalties would likely be easier to defend than an increase in taxes or restrictions on how a vehicle is used.

    It would also be easier to enforce.

    So, the call to action from this article? I am suggesting that anyone processing personal data in the course of their commercial activities should start getting their house in order now ahead of any changes which might bring in penalties. Ensure your staff are properly trained in the principles of Data Protection. Start working now to make it part of “how things get done” in your organisation, not “another bloody thing to do”.