I have a confession to make. It is probably hard for all you well organised IT lawyers and academics to understand, especially the data protection practitioners. But the awful truth is that I am not sure what we are going to serve for Christmas dinner this year. What’s more, I do not yet know how much we are going to spend on Christmas. In a recent survey of the Eastham household, the state of preparedness and planning for this event was put at 2% (we thought we would probably get a turkey) – that’s 98% unprepared. The costings awareness was even lower as there was no agreement as to whether we should get a big turkey or a small one; research did reveal that we still had cranberry sauce and it was not going to be much past its sell-by date by Christmas. Despite that rigorous research, lack of costings awareness was put at 99%. In my defence, while we have a fair idea that Christmas will happen, and pretty much when, we don’t know if anyone is coming for Christmas – eg, the daughter might be in Cameroon. We might even get asked to the son’s house and not need to buy a turkey at all.
That’s not {i}really{/i} the confession. My shame arises from being fool enough to report on the recent ICO-commissioned survey based on the ICO press release. As you may be aware if you read {our news item: http://www.scl.org/site.aspx?i=ne32305}, according to the survey, 87% of companies were unable to estimate likely costs of the EU’s data protection reform proposals to their business. I was uncritical when I should have been shocked. Why was it not at least 98%? No wonder some companies and the UK economy are struggling if there are staff willing to spend time estimating the costs of a data protection reform that has not happened and which remains subject to (at the last count) 3,000 amendments. My confession is that I reported the development as though it was disturbing news when in fact it was reassuring.
For example, there was consolation in learning that 82% of survey respondents were unable to quantify their {i}current{/i} spending on data protection. That suggests that the vast majority of businesses have recognised data protection as a mainstream activity, woven into the fabric of their activities and thus incapable of being quantified. More good news is that the vast majority of the businesses that would be required to appoint a data protection officer already have someone doing the job so that one of the main supposed extra costs of the reform package dissolves.
But I am beginning to draw conclusions from a flawed report. The suggestion from the Information Commissioner is that the report shows that the old estimates on costs are so highly questionable that we need to know more – we need ‘valid evidence’. But I am afraid that what the report indicates to me is that most businesses have decided that the data reform package is too uncertain in shape and timing to be grappled with now. And they are right. The report authors, like researchers presenting every report I read on any topic, suggest that more research is needed. But there are times when the only valid response to coping with a future development is to leave the problem until later – and most businesses appear to be taking that line. So what can further research unearth?
When Christopher Graham says that legislation of this importance should not be based on guesswork, most people would agree. Guesswork has a bad name. But this legislative package is based on a series of principles and a good deal of practical experience across many countries. The fact that some predictions of consequences, including the costs to business, are based on estimates that are guesswork in its party dress does not invalidate the whole. We just have to ‘man up’ and accept that some uncertainties cannot be made certain just now. In this instance, the time for further research is a long way off – maybe a bit nearer to Christmas?