“A lot of us come from environments where our governments are very quick to pass these (data protection) laws. And invariably it’s a lot easier to push for legislations to be passed. But then, when we setup these institutions, one thing we find is that we do not resource them,” said former Executive Director of Ghana’s Data Protection Commission, Teki Akuetteh Falconer.
Falconer along with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Raymund Liboro, the Chairman of the Philippines’ National Privacy Commission, made these comments in a conversation with Malavika Raghvan (Future of Privacy Forum) at PrivacyNama 2021, a global conference on privacy regulations held on October 6 and 7.
India’s proposed Personal Data Protection Bill has provisions for setting up data protection authorities. Since the bill will be passed sooner or later, it is important to note the kind of problems countries with data protection authorities have faced while trying to set up these institutions. Here’s what the panelists had to say about what makes a DPA tick:
First, get your leadership right
“One of the key recommendations that I will make is that, beyond the passage of the laws, we need the right political buy-in leadership,” said Falconer.
She said it is important to have the right person at the top because a data protection authority would essentially be a new institution and very few people would familiar with it. Giving an example from her time in Ghana’s Data Protection Commission, Falconer said:
In our case we had a very good driving chair that was a retired Supreme Court justice that was highly respected with a lot of knowledge around human rights issues. We had people like the government, statisticians sitting on our board, and it really gave a lot of credence to the organisation that they created.
Without going into specifics, Liboro said, “There is no particular playbook in organising data protection authority. However for starters, as an authority, you have to assert your leadership. So many of your constituents will be looking to you for leadership and clarity. So really I think the aim always of the DPA is to provide clarity, and that includes now, again breaking down these concepts from really theoretical concepts into something that they can see some benefit from.”
Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.
Resources, resources, and more resources
Falconer recounted how it took more than three years since 2012 before Ghana’s DPA got the first approval to hire permanent staff for the institution. This was mostly because there was not enough financial backing for the institution back then, and also because there was a lack of human resources.
“Another challenge that you are going to face, is regarding the human resource capacity that is needed. We did not even have the adequate resources to even hire people that had the knowledge and skillset to be able to help us. Putting in place the right resources is really going to help enable the organization,” she said.
Build awareness to make data privacy legislations more humane
“What we did in the Philippines is that we came up in a very first year with a very strong awareness campaign… Complaints will not happen overnight, Nikhil. It will gradually build up because people become more aware,” Liboro said while explaining the importance of taking out an awareness campaign to kickstart a DPA.
He added that while these awareness drives are being carried out, one can use that time to build capacity and train personnel. “That’s why here in the Philippines what we did was really promote the role of data protection officers. We understand that we will never have enough sufficient resources to enforce our law, so we need allies, we need deputies. So we had to deputize, and we did that,” Liboro said.
You have to push in a lot of awareness in demystifying the subjects from the technical point of view to a more humane, a more human-centric environment where people can now personally identify with the data protection issues. That also helps with creation of more awareness and dissemination — Falconer
Falconer also reiterated the need to spread awareness but with the help of media. “We did not have any resources at all, and so we had to even leverage on traditional media, and they become like our partners in disseminating and identifying public issues around data protection, and we always use those opportunities to further heighten awareness,” she said.
Decrease friction with other regulators and reduce turf wars
When one or two government institutions have similar rules, or their functioning clashes with each other, it often turns into a powerplay issue. This is not very uncommon in governments and as Falconer pointed out, it could have very well been possible during her stint in Ghana’s data protection commission if the right appointments had not been made at the beginning.
One of the best ways of handling those power role issue and powerplay challenges around the leadership and institutional drive is to ensure that most of those people in critical institutions had place in the governing structure of the regulator. So, for instance, our regulator had a key institutional role. — Falconer
She further explained, “We had the communications regulator on our board; we had the ICT authority on our board; we had the central bank representative on our board; we even had ICT institutional reps, association reps on our board. And what that meant is that we were then able to, at the board level, create a system of buy-in from these critical sectors and institutional people to actually help push and disseminate the importance of the decisions that we had taken in the board room which was then going to come up.”
MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).
- How To Be A Chief Privacy Officer – #PrivacyNama2021
- How Is China’s Data Protection Law Different From EU’s GPDR? #PrivacyNama2021
- The Chasm Between Passing A Data Protection Law Vs Actually Implementing It – #PrivacyNama2021
- Digital Sovereignty: Will It Actually Drive Economic Value And Will That Compromise Privacy? #PrivacyNama2021
Have something to add? Subscribe to MediaNama here and post your comment.