Here is someone who recognises that there is a balance to be struck between the right to privacy and protection of the individual citizen and the need for business to achieve its commercial goals. Here is a regulator who has asked for and won the “big stick” of increased powers of enforcement, but who hopes to keep that stick in the cupboard.
To achieve that requires the co-operation of every company using personal data. (Which is as much as to say every company.) Only if organisations create the right culture, through processes designed for privacy, staff training that builds a respect for personal data and technology to secure those data flows across and outside the business, will the need to punish remain a threat, not an action.
Graham understands that regulation has its limits – as he put it, there is “no magic wand in Wilmslow”. Self-regulation has to be a part of how personal information is kept secure and private.
In this respect, both he and UK law in general are running against the tide. Delegates at that conference heard from lawyer Robert Bond of Speechly Bircham that the underlying principle of English law is adequacy, but in most other major regions it is accountability.
This matters as the risks to data subjects of having their records lost or stolen grow. From financial theft and fraud through to ID hijacking, the consequences of something going wrong can be dire. Fining the company responsible is only one part of putting that right – restitution for the victim is another. In that respect, other countries are ahead of the UK and may force it to follow suit.
More immediately, there is still an important fight to be had around cookies and online behavioural advertising. The headbangers in Europe have already passed a potentially limiting ePrivacy Directive. But as Graham notes, it has yet to be enacted into English law and its preamble allows for important “wriggle room”. Like I said, we are lucky to have a pragmatist, rather than an idealist, overseeing us right now.