Backwards Momentum

To quote from their website, “Momentum is a people-powered, vibrant movement. We aim to transform the Labour Party, our communities and Britain in the interests of the many, not the few.” Founded by Jon Lansman and others in 2015, it arose out of the successful campaign to get Jeremy Corbyn elected as Labour Leader. From the beginning, as well as being evidence of a new type of politics in terms of policy and approach, Momentum exemplified the importance of personal data to modern politics.

An awful lot of bullshit has been talked about data and politics in the UK – witness the investigation into political parties’ use of personal data announced with great fanfare by the Open Rights Group, which culminated in a hilariously anti-climactic report where ORG had to admit that the worst thing they could say about political data exploitation is how ineffective it is. Ignore the Guardian headlines and Liz Denham’s interviews on Channel 4 News, Momentum is a real example of the power of data. It is a political movement built on a mailing list. After Corbyn was elected, the founders of Momentum used the lists of Corbyn supporters created during his leadership campaign as the foundation of the organisation. This isn’t my opinion – it’s what Momentum says about itself: “The company was originally incorporated at the very beginning of Jeremy Corbyn’s 2015 leadership bid to collect and manage the data collected during that election and in order to maximise the retention of data for use after the leadership campaign to benefit the movement which would arise from it.

A few days ago, the National Coordinating Committee for Momentum held elections. Lansman, who was previously chair of the organisation, didn’t stand for reelection, so Momentum is under new management. However, it is not entirely in power and its first meeting, the NCG sought to rectify that. According to Labour List, “members voted in favour of putting Momentum’s data – currently owned by Lansman, who is no longer on the ruling body – in their own hands. They are confident that this handover will take place.

Technically, the data isn’t owned by Lansman. Momentum’s website says that it is owned by ‘Jeremy for Labour Ltd’, a company that provides data services for Momentum. Strictly speaking, this isn’t true either: the company is called ‘Momentum Information’ but it’s not hard to understand why the Momentum web people are confused because the company does have a habit of changing its name. It started as ‘Jeremy Corbyn Campaign 2015 (Supporters) Ltd’, then became ‘Momentum Campaign Ltd’, then transmogrified into ‘Jeremy for Labour Ltd’ in 2016, finally blossoming into ‘Momentum Information Ltd’ on 30th December 2019. It’s like a really boring version of Doctor Who. However, when you look at the current directors of Momentum Information, there’s only one, and it’s Jon Lansman.

Momentum isn’t a company or a political party. It is an “unincorporated association of individual members” with a written constitution, run by the NCG. According to their website, the data owned by Momentum Information “cannot be shared with any organisation, including Momentum” but “the privacy policy does permit Jeremy for Labour Ltd to inform people of campaigns and activities linked to Jeremy Corbyn’s campaign aims, such as the activities of Momentum which grew out of Jeremy’s leadership bid and shares its aims and values“. Momentum is in the astonishing position of being a member organisation which – as far as I can see – does not know who all of its members are and is not allowed to contact them directly without (effectively) Lansman’s cooperation. It’s possible that by now the unincorporated association has accumulated some of its own data, but it seems clear that Lansman has kept control of the data mother lode, and while he no longer chairs Momentum, the data gives him huge power over it.

If Momentum members have access to the data held by Momentum Information and they try to use it, that would be a criminal offence unless Lansman or his representatives authorise it. This is why there needs to be a ‘handover’. Of course, Lansman may well accede to the democratic vote of the NCG and give them the data. I am an evil centrist who doesn’t really understand the internal politics of Momentum (I rejoined Labour solely to vote for whichever of Keir Starmer or Lisa Nandy looked more likely to beat Rebecca Long-Bailey), so I don’t know what Lansman’s move will be. The funny thing is, purely in Data Protection terms, it’s probably unlawful for him to disclose the data without a lot more work.

I’m basing this on the information Momentum itself has put into the public domain, so if I have this wrong, it’s because I’ve been misinformed by them. But that sentence in the company structures section of their website isn’t ambiguous: the privacy policy doesn’t allow sharing with Momentum. If that’s what the people on whatever database Momentum Information controls were told, it would be a significant breach of fairness and transparency for their data to be shared in a way that contradicts this. Never mind that many Momentum members might be fine with it, the transparency problem has to be overcome, and we’re talking about many thousands of people needing to be contacted.

Being a member of Momentum plainly reflects your political opinion, so Momentum Information needs a special categories exemption to disclose the data. The most obvious one would be “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects“. If you read all the way to the end, you can see the problem – it explicitly rules out disclosure. There are only two other possibilities – substantial public interest or explicit consent. I don’t think that there’s a *public* interest here, just a significant private one, but if you disagree, a controller can only use substantial public interest if they can meet a condition from Schedule 1 of the Data Protection Act 2018. Feel free to read them if you want to, but I can tell you that none of them apply. The NCG vote is irrelevant – unless the relevant people consent to the disclosure, it’s unlawful even if Lansman wants it to happen.

I said I don’t know Lansman’s motives here, but surely none of this is an accident. Whether or not he chairs the unincorporated association, it strikes me that Lansman still holds the reins. Momentum is probably nothing unless it can talk to its members, and right now, only a mass consent gathering exercise will allow that. Of course, Momentum’s account of the company structures may be incorrect and there’s a loophole somewhere. But forget the guff about micro targeting and brainwashing by Facebook, if there is a standoff between the NCG and Lansman, it’s about who controls a major political movement, and it’s based solely on access to personal data. The Information Commissioner will run a mile from intervening, as they always do when faced with issues in Labour and Left politics, but it’s an awesome demonstration of the power of data.

Two pints of FUD and a packet of pork scratchings please

As the pubs open, a huge amount of fuss has been made about the requirement placed on pubs to collect personal data for the purposes of the track and trace system. Local papers and websites buzz with articles that are plainly just law firm press releases, and the LinkedIn Snake Oil Salesmen awoke from their slumber to offer advice to unwary publicans. Some even wondered aloud how pubs would cope with being data controllers for the first time, despite all of them having employees, and most taking bookings and doing marketing.

Guidance from the government sets out what is expected:

“You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”

The data pubs and restaurants should collect is as follows:

“customers and visitors:

  • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
  • a contact phone number for each customer or visitor, or for the lead member of a group of people
  • date of visit, arrival time and, where possible, departure time
  • if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer”

A few interesting questions do arise. The first, which doesn’t seem to have provoked much debate, is whether GDPR applies at all in this situation. if a pub or restaurant stores the data in a spreadsheet or other electronic system, GDPR applies because in the words of Article 2, it is processed by automated means. But what if the pub uses a notebook or index cards to store the data? There’s a strong argument to do that, because it would make it much easier to keep the data separate from other customer data that the pub might have. Moreover, it’s possible that a notebook structured solely in date order doesn’t meet the definition of a filing system, which is a “structured set of personal data which are accessible according to specific criteria“. Certainly, if the Data Protection Act 1998 was still in force, the answer would be no. A date-ordered notebook would fail the ICO’s famous ‘temp test’ (can a temporary member of staff find personal data without searching every page?), and there is out-of-date guidance on the ICO’s website that confirms that chronological storage isn’t a relevant filing system. However, this is the DPA 1998, although the definition of a filing system is very similar in the 1995 Directive and the GDPR. Would date order meet the requirement for “accessible according to specific criteria“? I can’t find the data about Tim Turner without searching every page, but I can see all the named individuals who were in the pub on July 4th, so is that enough?

Given that the ICO isn’t going to touch this with a bargepole, the only way that this might be tested is in the courts. The European Court of Justice has looked at filing systems before in the Finnish Jehovah’s Witnesses case. This was under the old Directive, but they found that the ‘specific criteria’ by which the data are accessed should relate to people. I can’t find the phrase anywhere, but the ICO shorthand used to be ‘structured by reference to individuals’. The Jehovah’s Witnesses’ manual records were structured to keep track of specific people and organise subsequent visits, and so were found to be a filing system. I’m probably unduly influenced by having worked with the DPA 1998 for so long, but my instinct is that if a handwritten record is kept in date order, and not structured to provide easy access to identifiable people, it’s not personal data in the first place, and so no GDPR obligations arise to the publican armed only with a pad and pen (my advice is a nice Lamy or Pilot pen; only barbarians use freebie biros).

But let’s assume that I’m wrong, and the data is personal data captured by the GDPR. I had a conversation with someone on Twitter yesterday who believed that the Data Controller was Public Health England, and that pubs, restaurants and other businesses are data processors on behalf of PHE. He made the point that if this was correct, then none of them would have a contract with PHE, and so there would automatically be a massive data protection infringement. I disagree. The pub owners are under no obligation to process the data – if they participate, they are choosing to do so. If you decide whether and how to gather the data, it strikes me that you have at least some involvement in determining the purposes for which the data is processed. PHE have issued no instructions about the means of the processing (hence pubs and restaurants being able to choose between automated and manual processing). If every venue was a processor, it’s true that PHE would be under an obligation to issue contracts to them all, and they would be liable for every infringement that occurred in an establishment who hadn’t signed up. I’m not saying that this is impossible (the NHS is no stranger to pretending that organisations who have zero choice or input into the purposes and means of processing are data controllers), but I’m more comfortable with the idea that hospitality venues are joint data controllers with PHE. If a pub does something daft with data they have chosen to process, it seems an odd interpretation of the law to hold PHE responsible.

Someone’s going to say vicarious liability, and I’m going to wait for the court case.

Depending on the context, the data collected might look like contact details, but it could easily lead to inferences and risks that the venue needs to take seriously. If I went to the Old Man Pub down the road from me, you wouldn’t infer much about my presence there other than a liking for darts and bright lighting. But if I went to G-A-Y in Manchester, you might reasonably draw conclusions about my sexuality. The venues ought to look after this information very carefully, assuming they didn’t already collect data about these customers. But those people determined to predict a datapocalypse as a result of these measures are leaping several steps ahead. Most venues will take sensible measures to keep this data safe because most people aren’t stupid, and venues that cater to vulnerable clients or those who have heightened concerns about privacy are almost certainly aware of these issues already. The chances that data will be lost or stolen are probably low (especially if they go for a simple spreadsheet or manual record that is stored somewhere safe).

But if something does go wrong, unless it involves significant risk to the customers, the chances of a big data protection enforcement case from the ICO are virtually nil, and despite the lip-smacking enthusiasm of some lawyers, the prospects of lucrative litigation are fairly dry. And with that, I am going to do my civic duty by walking through the rain to the Old Man Pub, getting blind drunk and catching Covid-19 like all patriotic Englishmen should*.




* SPOILER ALERT: I am going to wait for John Lewis to deliver my new Fridge Freezer.

Role playing

A few weeks ago, the Data Protection world was shaken by a decision from the Belgian DP Authority to fine an organisation €50,000 after they appointed their Head of the Compliance, Risk Management and Audit department as their Data Protection Officer. I’ve commented before about my frustration that too many organisations are unable to comprehend the independence and relative freedom of the DPO role as anything other than a senior-level job – in such places, the role is a DPOINO, a Data Protection Officer In Name Only, with a younger, more junior but much more expert person actually carrying out the role. The DPOINO in these organisations is usually a middle-aged white man, and the real DPO is a younger woman. I imagine you are shocked to read this.

The Belgian decision is not ridiculous – it is difficult for someone in a senior position to escape decisions about hiring and firing (for example) or system design, activities that risk dragging the incumbent into determining the purposes. If the DPO was less senior, even in the same department, the risk of conflicts of interests would be lower. There are better, more imaginative models, but I think seniority is always fatal. Needless to say, some commentators have drawn more other conclusions.

Writing for Scottish Housing News, Daradjeet Jagpal questioned whether it was time for his audience (Registered Social Landlords in Scotland) to review their DPO appointments. Despite this being a single case in a foreign jurisdiction with tenuous direct application to a non-EU country like the UK, Jagpal fell back on the consistency mechanism, and warned his readers that the ICO might adopt the same approach, skipping over the fact that Wilmslow’s approach to the GDPR has been to go to sleep. A quick survey of the possible candidates – mainly heads of various RSL departments – do not make the grade for Jagpal, and rather patronisingly, he dismisses the idea that a Corporate Services Officer would be “comfortable or sufficiently confident to challenge the CEO on non-compliance“. Take that, many DPOs who I know and love.

Jagpal comes to the conclusion that “The obvious solution is for RSLs to appoint an external DPO” which is remarkable, given that Jagpal is described in the article as “a leading provider of outsourced DPO services to RSLs across Scotland“. I’m not suggesting that he’s is over-egging the Belgian decision for nakedly commercial purposes, but he does place weirdly heavy emphasis on EU standards and pressures which are clearly either dead or dying for Brexit Britain, and he barely entertains the idea that Scottish RSLs might just appoint a DPO in-house.

To be fair, the Belgian decision is a real thing that happened, and while I disagree with Jagpal’s assessment of its implications, he’s accurately described the situation. The same cannot be said of everyone in the outsourced DPO sector. In a webinar hosted by everyone’s favourite LinkedIn spammers, Data Protection World Forum, the CEO of The DPO Centre, Rob Masson decided to get creative. Masson spoke of the “quite strict guidelines” (AKA legal requirements) about who can be a DPO and the importance of avoiding conflicts of interest. He went on to say “we’ve got to remember that the role of the Data Protection Officer is to represent the needs of the Data Subjects. It’s not necessarily to represent the needs of the organisation.”

None of the specified DPO tasks refer to data subjects. They require a DPO to advise the organisation on data protection matters, monitor its compliance with the GDPR and other laws, advise on and monitor the effectiveness of data protection impact assessments, and liaise with the Information Commissioner’s Office. If you wanted to be exceptionally generous to Masson, you could interpret the whole of the GDPR as reflecting the needs of data subjects to have their personal data properly regulated, and from there spin the DPO’s role as a facilitator of that. But that’s also nonsense. It’s as much in the interests of an organisation that the personal data they use is accurate and secure as it is for data subjects. The GDPR sometimes allows controllers to retain data despite a subject’s objection, to keep processing secret from them when it might prejudice certain purposes, and to balance their own wish to use data against the impact on the subject, deciding to use it without consent when they think they’ve assessed the situation properly.

If we’re talking about the needs of the organisation, I’d argue that most of the GDPR’s requirements reflect the needs of the controller. Some organisations are too lazy or stupid to see it, or they’re getting advice from the wrong people. It might seem like disposing of personal data that you genuinely don’t need any more is an unwelcome imposition, but it’s very much the healthy option. To use Masson’s own word, GDPR is the spinach that the organisation *needs*, even if it might prefer the Big Mac and Fries of not thinking about it.

A77 gives the subject the “right” to lodge a complaint with the relevant supervisory authority. A39(1)(a) says that the DPO “shall” inform and advise the organisation of their obligations. Contrast these provisions with the words in A38(4), the only element of the DPO articles that refers to subjects: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” This obviously means that the DPO ought to be accessible to data subjects (one of my objections to senior DPOs is that they won’t go for this), but it also shows Masson’s version to be fantasy. There is no right to reply, no hint that the DPO is the subject’s advocate or representative. They’re at best a conduit for concerned subjects.

Obviously, the DPO isn’t just the loyal servant of the organisation, and they have to reconcile being an employee and an independent advisor. I disagree with Jagpal’s dismissal of junior officers as being capable of standing up to CEOs because I know so many who do it regularly. But he’s reflecting a real problem that many DPOs face. If the senior people don’t want to take the DPO’s advice, they are in an invidious position. Until the ICO shows that it is willing to back DPOs in these kinds of situations, it’s going to remain a precarious and stressful job for those facing unsympathetic management. Masson’s characterisation can only make this worse, feeding a perception that the DPO is not even there to help the business, but to pursue the interests of data subjects. Subjects come in all shapes and sizes, but some of them are hostile, difficult and aggressive, and telling a CEO who already doesn’t take data protection seriously that their DPO represents these people’s interests is toxic. This snake-oil may seem slick on a bullshit webinar, but if this unhelpful message reaches workplaces with already unsympathetic management, it’s going to make the work of beleaguered DPOs even harder.

I wonder if it’s a coincidence that Masson’s misreading of the GDPR could benefit his business – if the DPO really is there to serve the needs of the data subject, doesn’t an external figure make more sense than an in-house officer who won’t be doing what you want them to do anyway? There’s nothing in the GDPR that would make you think that this version of the DPO is correct, so it has to come from somewhere. If that’s it, rather than simple ignorance, I wonder if Masson has the guts to try to hawk this stuff in a forum where people might actually challenge him.

At this point, you might be thinking, so what? People talk shite to get business. They predict SARmageddons. They shout about 4% of annual turnover fines. They claim that first-tier decisions in Belgium should make you change your DPO.  Does it matter? Doesn’t every sector have its share of hype and froth? The answer is that I have to work in this one, and I think the truth matters. I also have to clean up other people’s bullshit. I have to overcome the hype and the scaremongering spread around by the other people in my industry. I know the popular mantra is that commercial folk should all be pitching in and helping each other, but by spreading misinformation, the likes of Rob Masson are already not doing that, so why should I?

The Information Commissioner’s Office isn’t going to enforce against organisations with an imperfect DPO choice – perhaps they should, but they won’t. They’ve done one GDPR fine in two years and I doubt we’ll see another one in 2020. Sidelined by government in the coronacrisis, facing a review from the DCMS (pointedly not postponed despite the pandemic) and humiliated by the collapse of multiple high profile actions, the ICO is an irrelevance. I’ll be surprised if they survive in their current form. The reason to choose the right DPO is that an independent, challenging person in the role will help organisations to make intelligent decisions that will build a culture of more secure, more accurate, more effectively used data. The DPO isn’t the voice of the subjects, they’re a valuable asset there to guide and assist the organisation. I won’t sell a single course place by saying so, but that doesn’t make it any less true.


SARmaggedon Days Are Here Again (Again)

Reading my emails, a headline leapt out at me: “The hidden cost of GDPR data access requests“. It led me to BetaNews, a website that looks like it is trapped in 1998, and a story describing research into SARs commissioned by Guardum, a purveyor of subject access request handling software. A sample of 100 Data Protection Officers were consulted, and you’ll never guess what the research uncovered.

SARs, it turns out, are time consuming and expensive. I award 10 GDPR points to the Guardum CTO for knowing that SARs weren’t introduced in 2018, but I have to take them away immediately because he goes on to claim that “There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process.” Apparently, lawyers are using SARs now. Imagine that. The article goes to say that “Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud.“. There’s also a bit of a spoiler about whether the Pope is a Catholic.

According to Guardum, the average cost of a SAR is £4,884.53, the average DPO receives 27 SARs a month, and each one takes an average of 66 working hours to deal with. The article didn’t explain how these figures were arrived at, so I eagerly clicked the link to visit Guardum’s website for the full results. What I found was a fountain of guff. Strip out the endless bar and pie charts, and what Guardum wants to say is that 45% of the DPOs surveyed would like to automate some of the process because of a predicted landslide of SARs, provoked by angry furloughed and sacked staff.

I’m not sure about the logic of this – I can understand that everyone who loses their job will be upset and probably angry, and I’ve certainly dealt with lots of SARs related to a suspension or dismissal. But in those cases, the action taken was personal and direct – an individual was singled out by the employer for the treatment in question. I don’t see why people losing jobs in a pandemic will be so determined to send a SAR. It’s not like the reason for their predicament is a mystery.

The survey questions are opportunistic at best, and at worst, seem designed to allow Guardum to paint this picture of anxious DPOs uncertain about how they’re going to handle the post Covid-19 SARmageddon that the company is evidently desperate for. 75% of respondents are described as having difficulties dealing with SARs during the lockdown, though this actually translates as good news. 72% are coping but expect a SAR backlog when they get back to the office, while just 3% fearing a ‘mountain’ of requests. The headline on one slide is that 30% anticipate a ‘massive’ increase in SARs, but the reality is 55% expect the same as before and 15% think they’ll get less. 73% supposedly think that furloughed or laid off staff will be a ‘big factor’ in the predicted increase, even though the breakdown shows that only 20% think it will be the single biggest factor. To emphasise, these are requests that haven’t happened yet. The people who say that they will are the ones flogging the software to deal with the problem.

So far, so what? Guardum have software to sell and a cynical pitch about Covid-19 to achieve that. Does it matter? In the grand scheme of things, no, it doesn’t. I’m probably not the only person currently experiencing a crash course in What’s Really Important. But in the micro scheme of things, bullshit deserves to be called out, especially when it’s designed to exploit a crisis that’s causing misery and death across the world. Many of the revelations in this survey are staggeringly banal – nearly 50% of people find tracking the data down across multiple departments to be a slog, while 63% have to search both paper and electronic records. Who with any experience in Data Protection would think it was worth pointing this out? Meanwhile, the assertions about how long a SAR takes or how much it costs are wholly unexplained. It’s meaningless to claim that the mean cost of a SAR is £4,884.53 if you don’t explain how that was calculated (inevitably, the CTO is touting this figure on LinkedIn).

Guardum aren’t necessarily the experts at Data Protection that they might have us believe. For one thing, despite being a UK company, both the survey results and their website exclusively refer to ‘PII’ rather than personal data. For another, part of the criteria for participating in the survey was that the DPO needed to work for a company with more than 250 employees. This was, for a time, the threshold for a mandatory DPO but despite being changed, some dodgy training companies and consultants didn’t notice and ran courses which highlighted the 250 figure even when it was gone. Most importantly, nearly half of the people who responded to the survey don’t know what they’re doing. The survey was purportedly targeted at DPOs, but 44% of respondents are identified as being in ‘C-level’ jobs – perhaps this is to give a veneer of seniority, but C-level jobs are precisely the senior roles that are likely attract a conflict of interests. Guardum talked to people in the wrong jobs, and apparently didn’t realise this.

The ‘About’ page of Guardum’s website proclaims “Guardum supports privacy by design – where data privacy is engineered into your business processes during design rather than as an afterthought“, but the execution is less confident. There is a questionnaire that shows how much an organisation can save by using the Guardum product, but when you complete it, you have to fill in your name, company and email to get the results, and there’s no privacy policy or transparency information about how this information will be used. Moreover, if you try to use the contact form, clicking on the link to the terms and conditions results in ‘page not found’.

I have to declare my bias here – I don’t believe that any ‘solution’ can fully deal with the SAR response process, and I think people who tout AI gizmos that automatically redact “PII” are probably selling snake oil. Some of the SAR grind comes in finding the data, but a lot of it is about judgement – what should you redact? How much should you redact? Anyone who claims that they can replace humans when dealing with an HR, mental health or social care is writing cheques that no product I have ever seen can cash. So when I land on a website like Guardum’s, my back is up and my scepticism is turned all the way up. It would be nice if once, I saw a product that wasn’t sold with bullshit. But not only is Guardum’s pitch heavy with management buzzwords, they’re using fear as a marketing tool. Just last week, they ran a webinar about weathering the ‘Post Pandemic DSAR Storm‘.

Guardum claim that they provide “the only solution that can fully meet the DSAR challenge of responding in the tight 30-day deadline, giving you back control, time and money that are lost using other solutions“. Nowhere do they mention that you can extend the deadline by up to two months is a request is complex (and many are). But even if their claims are true, why do they need to sell their product via catastrophising? If their expertise goes back to the 1984 Act, why are they calling it PII and talking up the opinions of DPOs who are in the wrong job? Why oversell the results of their survey? Why hide the basis of the hours and cost calculations on which is all of this is being flogged?  And what on earth is a ‘Certified Blockchain Expert‘?

The future post-Covid is an uncertain place. I find the utopianism of some commentators hard to swallow, partly because people are still dying and partly because the much-predicted end of the office will have career-changing consequences for people like me. But at least the LinkedIn prophets are trying to explore positives for themselves and others in an undeniably grim situation. The people running Guardum seem only to want scare people into getting a demo of their software. If one is looking for positives, the fact that the ICO has waved the white flag means that no organisation needs to be unduly concerned about DP fines at the moment, and despite some of the concerns expressed in Guardum’s survey, nobody in the UK has ever been fined for not answering a SAR on time. The old advice about deleting data you don’t need and telling your managers not to slag people off in emails and texts will save you as much SAR misery as any software package, and I can give you that for free.

Blast from the past

As we all endure the lockdown and the uncertainty about when and how it might end, I have been trying to avoid thinking about the past. It’s tempting to dwell on the last time I went to the cinema (Home, Manchester ironically to watch ‘The Lighthouse’), the last time I went to a pub (Tweedies in Grasmere, just hours before Johnson closed them all), the last face-to-face training course I ran (lovely people, awful drive home). But thinking back to what I had, and the uncertainty about how, when and if I will get it back, doesn’t make the interminable Groundhog Days move any faster. I’d be better off just ploughing on and working out what to do next.

So it was a strange experience to be thrown backwards in time to the heady days of 2017, when the GDPR frenzy was at its height, and the world and his dog were setting up GDPR consultancies. People still make fun of the outdated nature of my company name, but I registered 2040 Training in 2008, and I’m proud of its pre-GDPR nomenclature. The list of GDPR-themed companies that are now dissolved is a melancholy roll call – goodbye GDPR Ltd, GDPR Assist (not that one), GDPR Assistance, GDPR Certification Group (got to admire their optimism), GDPR Claims, GDPR Compliance, GDPR Compliance Consulting, GDPR Compliance Consultancy, GDPR Compliance for SMEs and GDPR Consultants International (offices in New York, Paris and Peckham). You are all with the Angels now.

I was cast into this reverie by a friend who drew my attention to GDPR Legal, a relatively new GDPR company, and a few moments on their website was like climbing into a DeLorean. It was all there. The professional design, the ability to provide all possible services related to Data Protection (you can get a DPO for as little as £100 a month), and of course “qualified DPO’s (sic)”. I was disappointed that there was no mention of them being certified and nary a hint of the IBITGQ, but you can’t have everything. They still pulled out some crowdpleasers, including flatulent business speak and the obvious fact that they are trying to sell software, sometimes in the same couple of sentences: “Our service includes a comprehensive consult to help identify gaps and opportunities, a comprehensive report that includes a project plan with timelines and milestones, a cost analysis, and a schedule. We also offer a software suite that will help you get there quickly and smoothly.” Timelines and milestones, people. This is what we want.

The lack of any detail is possibly a matter for concern. The website claims that the company’s specialists have “over 50 years of experience delivering a pragmatic consulting service with qualified DPO’s and GDPR Practitioner skills” but it is difficult to find out who any of them are. There is no ‘meet the team’ or ‘our people’ section. I might be wrong, but I don’t think there’s a single human being’s name anywhere on there. If you had all these brilliant experienced professionals, wouldn’t you want to advertise who they are – I might make fun of them, but even the folk who have blocked me on LinkedIn aren’t ashamed of saying who their consultants are. Is it 50 people with a year’s experience each? Indeed, the only name I can associate with the company (via Companies House) is the Director, a man who has no experience in Data Protection, but is also director of a shedload of software and marketing companies. Any time the site needs to get into any detail, it hyperlinks to the ICO.

So far, so what? You probably think this blog is cruel. If someone wants to set up a company selling GDPR services, why do I care? Isn’t this just sour grapes at another disruptive entrant in the vibrant GDPR market?

There are two reasons why I call these people out. The first is their privacy policy. It’s not a good sign when a privacy policy page on a GDPR company’s website begins with ‘Privacy Policy coming soon’, but as it happens, immediately below is the company’s privacy policy. Well, I say it’s their’s. It’s oddly formatted, and when you click on the links that are supposed to take you to the policy’s constituent parts, you’re in fact redirected to the log-in page for GoDaddy, with whom the site was registered. All the way through, there are lots of brackets in places that they don’t belong. It didn’t take me long to work out what was going on – I think the brackets were the elements of the template policy that GDPR Legal has used which needed to be personalised, and they’ve forgotten to remove them. 50 collective years of experience, and nobody is competent enough to write the company’s own privacy policy, they just use someone else’s template. Indeed, if you search for the first part of the policy “Important information and who we are“, it leads you to dozens of websites using the same template, from Visit Manchester to NHS Improvement. I can’t find where it originated, but it’s an indictment of the quality of work here that they took it off the shelf and didn’t even format it properly. My Privacy Policy is smart-arsery of the first order, but at least I wrote it myself.

The other reason is worse. GDPR Legal has a blog with three posts on it. Two are bland and short, but the most recent, published just this week, is much longer and more detailed. It reads very differently from other parts of the site, and there was something about the tone and structure that was familiar to me. It didn’t take long to remember where I had seen something like this before. The blog is about GDPR and children, and this is the second paragraph:

Because kids are less aware of the risks involved in handing over their personal data, they need greater protection when you are collecting and processing their data.Here is a guide and checklist for what you need to know about GDPR and children’s data.”

This is the first sentence of the ICO’s webpage about GDPR and children:

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

Coincidence, you think? This is the third line:

If a business processes children’s personal data then great care and thought should be given about the need to protect them from the outset, and any systems and processes should be designed with this in mind

This is the second line of the ICO’s page:

If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind

Blog, fourth para:

Compliance with the data protection principles and in particular fairness should be central to all processing of children’s personal data. ”

ICO page, third line:

“Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data

They rejigged the first few elements a little, but after that, whoever was doing it evidently got bored and it’s pretty much word for word:

GDPR Legal Blog:

A business needs to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

ICO page

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

GDPR Legal Blog

General Checklists

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist. 
  • We design our processing with children in mind from the outset and use a data protection by design and by default approach. 
  • We make sure that our processing is fair and complies with the data protection principles. 
  • As a matter of good practice, we use DPIAs (data protection impact assessments) to help us assess and mitigate the risks to children. 
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA. 
  • As a matter of good practice, we take children’s views into account when designing our processing.

ICO page: 



  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.
  • We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
  • We make sure that our processing is fair and complies with the data protection principles.
  • As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
  • As a matter of good practice, we take children’s views into account when designing our processing.”

NB: I’ve screenshotted all of it.

Someone at GDPR Legal lifted the whole thing uncredited and passed it off as their own work. A company that claims to be able to provide “practical and bespoke advice”, guiding “major projects in some of the UK’s largest businesses” nicked content from the ICO’s website. This kind of cutting and pasting gives plagiarism a bad name. At least GDPR’s previous Grand Master Plagiarist did it in style with some top-drawer endorsements.

The GDPR frenzy is over. Some of the new entrants have gone from strength to strength, and some of them are now selling kitchens. The current crisis will test everyone, and I doubt that the DP landscape will look the same in a year’s time. Nevertheless, while I hope the data protection sector remains robust enough to accommodate both the slick, corporate operations, and a few maniac artisans like me, it surely doesn’t need chancers any more? I hope we can all agree that a company that can’t even design its own privacy policy, that won’t admit who its experts are, and who steals from the regulator deserves to be shamed? I hope this blog might persuade a few unwary punters to do some due diligence before handing over their cash and perhaps pick a company who writes their own material. Whatever the LinkedIn blockers think of me, and I of them, surely we’re all better than this?