The IAPP reported the highlights of the annual International Conference of Data Protection and Privacy Commissioners, held in Hong Kong this September.
They noted a great diversity among the privacy authorities, but the goal was to analyse what the universal requirements are for a good DPA. The aim was to help DPAs stay as effective as possible in practice. Former ICO Richard Thomas stressed that a result-based approach is essential. Guidelines aren’t worth much if they are not put into practice properly.
CIPL devised a set of principles to accomplish that. DPAs should primarily produce cost-effective outcomes. They must promote responsible data use while at the same fostering innovation. Protection of individuals should be their highest priority.
DPAs should be transparent and accountable to both the public and the national parliaments. Consistency can never be overrated. It’s very important to adopt the same criteria, no matter whom the DPAs are dealing with. Of course, unless there are derogations and special conditions, such as in the GDPR.
CIPL stresses that honest cooperation and dialogue between the DPAs and the companies is the best way of ensuring continuous compliance. DPAs should in particular assess whether the companies are acting in good faith during investigations. Fines and punishments should be reserved only for very negligent and deliberate offenders. We have yet to see how this will be applicable in the GDPR environment, since the fines can be enormous.
Interestingly, they indicate that dealing with individual complaints can be resource-consuming and impede wider strategic goals. This is at odds with the GDPR requirements, where every complaint deserves a reply and an inquiry. DPAs could get so overwhelmed they might not even have time to deal with serious breaches.
Furthermore, a DPA must not turn into a complaints office. Proactive involvement is essential for quality work. DPAs aren’t policemen, stresses Mr Thomas.
It remains to be seen how well this will go in the EU, since many DPAs cite a serious lack of funds, which could impede their preparations for the GDPR.
Irish DPA Helen Dixon, reports the IAPP, warned against the trend of “FTC-ization”, where the regulators focus on a single company and ignore all other wrongdoers. While making an example of a misbehaving company can serve as a warning, it’s very unfair.
The guidelines above are an ideal that can be difficult to reach. The authors themselves are aware of that, but proper management even of very limited resources can bring about great benefits. Without clear goals in sight, even well-funded DPAs can perform poorly. That was the aim of the conference – to discuss a practical set of rules that DPAs, both small and large, can work towards achieving.
The conference proceedings can be downloaded here.