We have published
our Strategic Plan (2019-2022) which outlines how we plan to deliver effective and independent data protection regulation for the Bailiwick of Guernsey.
The word
strategy is defined as
a plan of action designed to achieve a long term or overall aim and it has its origins in Greek (stratēgia) referring to general command and leadership, mostly in a military context.
In today’s world we often hear it referred to in wider political and management contexts and companies spend a lot of time and money creating and publishing strategic plans.
But why does having a strategic plan
matter?
Whatever our role, individually or organisationally, we need to know
what it is we are seeking or needing to aim for – whether it is selling widgets or running a hospital. A strategy is a way of us thinking about and planning what we need to do to in order to successfully achieve those aims.
But how many of us know what the strategic direction of our own organisation is and where we may fit within that? Too often these documents, which have often taken considerable energy and resource, are launched in a flourish then neglected on a dusty shelf.
The new data protection legislation has given us, at the Office of the Data Protection Authority, the opportunity to reflect on what the law requires of us and how we think we can best deliver on those obligations. But data protection regulation poses unique and complex challenges; it gives every citizen rights and it imposes obligations on every organisation that handles personal data. Essentially, that means that every single individual and organisation in this Bailiwick is, in some way, affected.
The resources available to achieve our intended goals are limited. How we use, or not, those resources has real-world consequences. We cannot do everything or be everywhere. Having a strategy is therefore very important for us because it ensures we are
thoughtful,
honest and
open about how we are approaching our work and utilising our resources.
If our jurisdiction considers data protection as an administrative burden of little value, or worse, as stifling economic success and innovation, we will have failed before we have even started. We will also be likely to have to deploy our resources in a largely reactive way, managing and investigating breaches and complaints
where harm has already been done.
Conversely, if our jurisdiction engages with and understands the need for and the benefits of, regulation, we can continue to
build a culture of good governance and reputation. If organisations get data protection right from the outset, the
risks of harm to individuals are greatly reduced which in turn reduces the resources needed to investigate complaints.
That may sound obvious and straightforward and the reality is that it could be, but we need to
create the right environment and as the regulator we recognise the responsibility we have in supporting and enabling this to happen.
We are clear about where we see the opportunities for the Bailiwick in this modern era. In striving to be a centre of excellence for data, we aim to encourage organisations to build the protection of data into everything they do. We also aim to help them do that by
listening, engaging and providing them with relevant information and tools. Equally, we want each and every citizen to benefit from the protections and rights the law gives them and
feel empowered to demand that those rights be respected.
The way in which we do that
goes beyond looking at sections of law, it is also informed by the culture and values of our organisation. Our new strategic plan sets out the detail of what we want to achieve and how we think we can do that effectively. Strategy is only ever going to be effective when it
actively, purposefully and deliberately shapes events, behaviours and outcomes in the real world.
The impact of poor data protection practice is significant; for individuals because their data
risks being misused; for businesses because their
efficiency and
reputation will be compromised; and the Bailiwick because jurisdictions that do not step up will
fall behind in this fast moving and data-driven era.
Data protection is an
objective of a successful economy, not an obstacle to it. In setting out our strategic direction, we want to demonstrate that we are committed to doing all we can to build on and enhance the work already done. But the publication of our plan is just the beginning, because strategy is something that needs to be
done, not just written.
READ: ODPA Strategic Plan (2019-2022)
Next steps
Our Strategic Plan is a live document borne out of months of considered effort from the Commissioner and The Data Protection Authority Members and Chair. We have listened to feedback received from our regulated community during this process, and continue to invite feedback, which will be taken into consideration when we update this Strategic Plan in 2020.
If you would like to give us feedback please send your comments to communications@odpa.gg.