We have published our Strategic Plan (2019-2022) which outlines how we plan to deliver effective and independent data protection regulation for the Bailiwick of Guernsey.
The word strategy is defined as a plan of action designed to achieve a long term or overall aim and it has its origins in Greek (stratēgia) referring to general command and leadership, mostly in a military context.
In today’s world we often hear it referred to in wider political and management contexts and companies spend a lot of time and money creating and publishing strategic plans.
But why does having a strategic plan matter?
Whatever our role, individually or organisationally, we need to know what it is we are seeking or needing to aim for – whether it is selling widgets or running a hospital. A strategy is a way of us thinking about and planning what we need to do to in order to successfully achieve those aims.
But how many of us know what the strategic direction of our own organisation is and where we may fit within that? Too often these documents, which have often taken considerable energy and resource, are launched in a flourish then neglected on a dusty shelf.
The new data protection legislation has given us, at the Office of the Data Protection Authority, the opportunity to reflect on what the law requires of us and how we think we can best deliver on those obligations. But data protection regulation poses unique and complex challenges; it gives every citizen rights and it imposes obligations on every organisation that handles personal data. Essentially, that means that every single individual and organisation in this Bailiwick is, in some way, affected.
The resources available to achieve our intended goals are limited. How we use, or not, those resources has real-world consequences. We cannot do everything or be everywhere. Having a strategy is therefore very important for us because it ensures we are thoughtful, honest and open about how we are approaching our work and utilising our resources.
If our jurisdiction considers data protection as an administrative burden of little value, or worse, as stifling economic success and innovation, we will have failed before we have even started. We will also be likely to have to deploy our resources in a largely reactive way, managing and investigating breaches and complaints where harm has already been done.
Conversely, if our jurisdiction engages with and understands the need for and the benefits of, regulation, we can continue to build a culture of good governance and reputation. If organisations get data protection right from the outset, the risks of harm to individuals are greatly reduced which in turn reduces the resources needed to investigate complaints.
That may sound obvious and straightforward and the reality is that it could be, but we need to create the right environment and as the regulator we recognise the responsibility we have in supporting and enabling this to happen.
We are clear about where we see the opportunities for the Bailiwick in this modern era. In striving to be a centre of excellence for data, we aim to encourage organisations to build the protection of data into everything they do. We also aim to help them do that by listening, engaging and providing them with relevant information and tools. Equally, we want each and every citizen to benefit from the protections and rights the law gives them and feel empowered to demand that those rights be respected.
The way in which we do that goes beyond looking at sections of law, it is also informed by the culture and values of our organisation. Our new strategic plan sets out the detail of what we want to achieve and how we think we can do that effectively. Strategy is only ever going to be effective when it actively, purposefully and deliberately shapes events, behaviours and outcomes in the real world.
The impact of poor data protection practice is significant; for individuals because their data risks being misused; for businesses because their efficiency and reputation will be compromised; and the Bailiwick because jurisdictions that do not step up will fall behind in this fast moving and data-driven era.
Data protection is an objective of a successful economy, not an obstacle to it. In setting out our strategic direction, we want to demonstrate that we are committed to doing all we can to build on and enhance the work already done. But the publication of our plan is just the beginning, because strategy is something that needs to be done, not just written.
Our Strategic Plan is a live document borne out of months of considered effort from the Commissioner and The Data Protection Authority Members and Chair.
We have listened to feedback received from our regulated community during this process, and continue to invite feedback, which will be taken into consideration when we update this
Strategic Plan in 2020. If you would like to give us feedback please send your comments to email@example.com.