What would data protection look like if we started with a blank sheet of paper? This is a fantasy. It will never happen. Even the dream gets clouded by what already exists. But dreams are healthy and sometimes gives valuable insights.

Let’s start with the basics. The New General Data Protection Law (NGDPL) must be short, clear and simple. It must not be incomprehensible to the general public, let alone the organisations (small and large) which are supposed to observe its requirements. There must be something wrong when a law needs 173 Recitals and 99 Articles and still gives rise to uncertainty or confusion, even amongst its regulatory bodies. It should be written in Plain Language and require all information provided to data subjects to be in Plain Language. And my fantasy gets rid of the jargon. Certainly no more “data subjects” - meaningless and subjugating to most people. Let’s stick to men, women, children, consumers and citizens.  

And let’s aim to keep the paperwork (or digital communications) to the absolute minimum. Transparency is fundamental, but bombarding people with gobbledegook privacy policies serves little purpose, especially where the small print effectively obscures dubious activities. Worse still, creating a complete world of liars who confirm they have read and understood the garbage. The “notice and consent” approach to data protection should long since have been dead and buried.

To be less prescriptive and less process-based, NGDPL must be crystal clear with its Objectives. It must set out what it intends to achieve. Better still, it should state what it seeks to avoid. Good laws prevent evil, rather than promote virtue. This largely means that the new Law should be based on Harms from the misuse of personal information. This is a great deal more concrete than abstract references to fundamental rights and freedoms which prove actually not to be fundamental at all.

What harms? Any unlawful, unfair or deceptive use of personal information should be outlawed. So too should any sharing or use which breaches confidentiality or exceeds the person’s reasonable expectations. Beyond that, the risk-based approach provides most of the answers. Inaccurate, out-dated or wrongly-obtained personal information which leads to tangible harm - whether physical or economic – should clearly be prohibited. This includes bodily harm, loss of liberty or freedom of movement and financial loss. Intangible harm covers such matters as reputational damage, personal, family or social detriment, chilled freedom of speech and other unacceptable intrusions into private life. Societal harm which damages democratic values must also be covered, for example excessive state or police power and loss of social trust.

The important point about a harms-based approach is that it will send clear signals to everyone about what the Law is aiming to achieve. It also shifts attention to outcomes. Organisations should stop things going wrong or harms occurring – unacceptable outcomes - and be held accountable if they fail. This is better than lots of detailed procedures (e.g. on international transfers) which are driven by what might go wrong. Accountability for outcomes is better than accountability for “demonstrating compliance” with largely procedural requirements.

NGDPL will of course recognise that the digital world is global and so have worldwide application, or at least cover all liberal democracies. (I repeat this is a fantasy.) It will especially target governmentally-held data (including police and security forces). This recognises that governments have wide mandatory powers to obtain data, hold much more than commercial bodies, are not restrained by competitive pressures and can cause much greater harm when things go wrong.

The top priority for Supervisory Authorities should be to help organisations to “get it right”. The new Law needs to give them strong enforcement powers, but expect these to be concentrated on deliberate, high-risk or repeated non-compliance with the Law or situations where substantial harm actually has resulted. And all complaints should be diverted to Ombudsmen or similar institutions, rather than distracting from normal regulatory functions.

The blank sheet of paper does not exist. NGDPL will never be enacted. Perhaps a dream may be a nightmare for others. Or, perhaps a fantasy could at least be a starting-point for simplifying existing laws.

As we scan the landscape of digitisation across enterprises, be it Banking, Retail, Travel, Public Services, along with post-pandemic Healthcare and Education too, the platformisation of technology and business has really come centre stage. Every enterprise and public agency, is crafting their digital journey where services are designed harnessing data driven innovation. Services to consumers and citizens are curated and designed from the ground up for smart devices, typically with a cloud-first/native strategy, integrating with a host of ecosystem partners and platforms through APIs and Apps. The volumes of data and velocity of Apps development has seen unprecedented momentum, and post-pandemic, it has only accelerated several notches. The digital economies across the world riding on the internet and cloud platforms have created connected global Data Grids. Companies, Governments, and consumers are contributing to this digitisation but also bringing to fore the many challenges on the state of cybersecurity and privacy in this data driven world.

While every country is pursuing a fast-paced growth trajectory of its economy, riding the digital wave with data as its new currency, Governments and Regulators worldwide are caught in this conundrum or Holy Grail of making businesses balance privacy and user trust with data driven business growth. Consumer trust and regulatory scrutiny are the two major challenges that businesses worldwide transitioning to a Digital and a Data Enterprise must grapple with. They must also demonstrate increased accountability and transparency with their data practices.

CEOs and Boards of technology-led enterprises are now beginning to give attention not just to Cyber Risk but some Governance and Policy dimensions around Data. This leadership attention to company’s Data Strategy and sustainable growth is not driven just by evolving Global Regulations but also in equal measure to position themselves as a trustworthy data fiduciary in the eyes of its users and consumers. It’s only a question of time before every “Corner Office” or Board Room, even if in the short term, over their virtual calls, discussions with their teams, delve into:

• Rapidly evolving regulations and laws around data protection and privacy and company’s readiness to conform in every geography they operate in.
• Is the company being transparent and accountable of their data practices and AI-based innovation strategy and are they being responsible enough in their data-centric innovation for their new products and services?
• Is Inclusion and Fairness driving the company’s data practises and ensuring algorithms are not comprising the company’s business ethics and values both with consumers and employees?
• Is the company ready for a paradigm shift in accepting the consumer as a key stakeholder and enabling a user-first approach to their products design and privacy practices?
• With new expectations from governments and communities to democratise and open up data for larger public and social good, is the company crafting a data strategy that can meet these new demands without diluting its market positioning and profitability?
• Does the company fully comprehend ramifications of balancing privacy and user trust with National Security and Lawful access requests for Crime Investigation?
• With global discourse around Data Monopolies and Competition and regulatory scrutiny on Big Tech, will there be an impact on company’s ecosystem partnerships and going global?
• Is the company crafting a focus on ecosystems collaborations and partnerships with start-ups to harness the real power of data centric innovation?
• Is the Company doing enough in educating employees and users about being Privacy-Aware and staying safe online?
  
  

In the short term, while there is a lot of public discourse and a worrying regulatory and civil society scrutiny around business’ data practices, I remain positive that every technology-led business will make users and their expectations of Privacy central to their digital strategy. There are already many enterprises leading the way in making privacy and consumer trust as a foundational pillar of their digital business and the benchmarks they are setting, will ensure that their peers and even competitors take a cue.