As part of RMOK’s ongoing conversation on AI and Data law challenges, we were asked to look at two papers prepared by the Centre for Information Policy Leadership (CIPL). 

The first paper emphasises the importance of a holistic data strategy for organisations. It argues that data should be viewed not just as a compliance issue but as a strategic asset that drives business growth, innovation, and competitiveness. We totally agree and we are sure our clients do too.

The document outlines a roadmap for integrating data governance across business silos, fostering interdisciplinary collaboration, and aligning data initiatives with corporate values and ESG goals. Key steps include expanding the vision of data as a business enabler, building trust and reputational integrity, breaking down silos, mitigating data risks, harmonising compliance obligations, and implementing accountable and ethical data practices. The paper also highlights the role of the Board and C-suite in leading this transformation and the benefits of a holistic approach to data strategy.

CIPL report: “Building Accountable AI Programs” (Feb 2024)

Most recently, CIPL published  “Getting the Best Outcomes – Pathways for Data Protection and Privacy Authorities” (Oct 2024).

The "Pathways to Effectiveness" outlined in that report are designed to guide Data Protection Authorities (DPAs) in maximising their regulatory effectiveness.

Pathways to Effectiveness

1. Priorities are Essential

• Currently, DPAs have too many functions, are often seriously under-resourced, and are unable to fulfil all their duties.

2. Selective to be Effective

• In setting priorities, DPAs have to be "Selective to be Effective." They should adopt a Risk-Based Approach to all their functions—supervision, guidance, and enforcement.

3. Prioritise Leadership

• DPAs should prioritize Leadership by promoting the responsible use of personal information and helping organizations get it right.

4. Fines as a Tool

• Fines resulting from enforcement action need to be one of the tools in a DPA’s toolkit. However, evidence suggests that fines a priori or alone do little to significantly alter behaviour or contribute much to declared Outcomes.

5. Enforcement Orders

• Where a sanction is warranted, Enforcement Orders requiring a change in behaviour will usually be a more effective remedy.

6. Efficient Use of Resources

• The complaint-handling function is not an efficient use of scarce resources and will not contribute directly to overall effectiveness.

7. Complaints as Intelligence

• DPAs should use complaints as an important source of intelligence, but as far as possible, aim to restrict detailed investigations to cases of strategic value and explore other avenues such as amicable settlement procedures and referring complaints in the first instance to the controllers and processors concerned.

8. Define KPIs

• DPAs should define KPIs to measure their success—the size or number of fines is not an appropriate measure.

9. Coordinate Approaches

• DPAs should strive to coordinate their approach through relevant cooperation bodies to limit fragmentation. This also includes working with other digital and data regulators in a more formalized and institutionalized manner.

10. Risk-Based Guidance

• Guidance must be risk-based, authoritative, usable, in plain language, and targeted to identified audiences.

11. Constructive Engagement

• Constructive engagement between DPAs and regulated entities is an important tool for achieving common goals of responsible data handling. This is even more important given the complexities of transformative technologies and broader digital transformation of our societies and economies.

12. Support and Accountability

• DPAs should strive to help those who want to get it right while being tough on those who do not. Specifically, DPAs should support and encourage organizational accountability, especially given its potential to deliver and demonstrate effective and risk-based data protection and responsible use of data in practice.

Subscribe Now for more RMOK updates and news.