DPO

A month or so back, I saw a tweet inviting me to download a worksheet from a company called Intillery, who were selling some sort of consent management tool. I didn’t want the worksheet, but when someone is selling GDPR consultancy, it’s always interesting to see what the state of their own compliance is. I visited their website, and gave them a Gmail address to receive my copy of their worksheet. There was a separate privacy policy which referred to providing me with “information, products or services that you request from us or which we feel may legitimately interest you, where you have consented to be contacted for such purposes“. There was no reference to further information being sent, or consent for any marketing.

Needless to say, I have received several marketing emails from Intillery since downloading the worksheet. You might argue that I should expect to receive marketing in return for the worksheet, but these are allegedly GDPR consultants, and their own privacy policy talks about sending further information only with consent. You might equally argue that although they’ve screwed up the fair processing element, under PECR they don’t need my consent because the marketing was business to business. But that’s irrelevant, because I used a Gmail address for which I am an individual subscriber. Even if I did so deliberately, you’d expect people offering Data Protection services to be wise to this. You might, at a pinch, argue for the soft opt-in, but I am downloading a worksheet that is supposed to help me comply, not making an enquiry about Intillery’s services, and in any case, there is no opt-out on the page. The soft opt-in cannot apply. I checked to see whether Intillery has notified the Information Commissioner for the purposes of consultancy, but needless to say they haven’t.

One interesting thing on Intillery’s privacy policy was that they have a named Data Protection Officer, the self-styled “GDPR Guy” Carl Gottlieb, who is presumably carrying out the role as a DPO contractor, given that he is also still running his information security business. He did a notification for that in October, which is coincidentally when Jon Baines kicked off about the number of GDPR people who weren’t notified. I’ll give him the benefit of the doubt over the non-notification of his scrap metal business as it might be exempt. I can’t tell you what advice Mr Gottlieb has given to Intillery in his role as their DPO, but they’re touting themselves as capable of advising others on Data Protection, and they’re not even compliant themselves. You need the right person, whoever you are.

I could have written this blog about Axon, a company who have been regularly emailing me in breach of PECR since I downloaded their GDPR document, or a dozen others. The Data Protection People cold-called me, and were surprised when I mentioned the Corporate Telephone Preference Service to them. All of these folk purport to be capable of helping others in their Data Protection efforts but either they don’t know how to comply themselves, or it isn’t sufficiently important to them to bother. On Friday, I spent a very enjoyable day training a group of school headteachers and business managers. They took in a lot of information about the GDPR and Data Protection implications for their schools with good humour and a constructive attitude, but the Data Protection Officer requirement was a stumbling block. Very few schools need a full-time DPO. A small, well-run primary school will need a relatively small amount of DPO time to keep them on an even keel, but unless the Data Protection Bill / Act delivers them a miracle, they will be legally obliged to have a named DPO. It’s daft but it’s true.

I find it hard to picture how a school will find someone half-decent to support them in the sea of endlessly swirling bullshit that has engulfed the Data Protection world over the past couple of years. I have never been as busy as I am currently, and I have never had so much fun doing my job. But when I look up from the work I am actually doing to see what state the DP sector is in, I am ashamed to be associated with Data Protection. Everywhere you look, there is scaremongering hype, ridiculous claims about fines, about a SAR tsunami, claims about businesses closing and the ICO stalking the land like Godzilla. As many GDPR folk never tire of complaining, I do spend some of my time calling it out. I correct false claims. I draw attention to crap articles. I argue with LinkedIn bullshitters, who block me because they’re cowards.

But just as when I wandered into the charity sector with an (overly) critical eye, the same legitimate criticism has been levelled at me again. Why don’t you do something constructive? What some of these people mean (and what some of them have said to me privately) is “there’s plenty of money to be made here, why don’t you just let us take our piece?”. The problem with this is that I don’t care how much money anyone makes. I could charge more than I do. I could go for more lucrative work. I could do more work. My criticisms of the bullshitters is not motivated by money. If all I cared about was cash, I wouldn’t just have given up a substantial guaranteed income to work solely for myself in 2018. But some of the people who ask that question are sincerely motivated, and they mean the same thing that my charity critics meant – why don’t you *do* something.

In March, I published a guide for fundraisers on Data Protection. I will be updating that guide in the next month to cover GDPR and the DP Bill. In the meantime, I have written another guide, this time for those organisations seeking an external, contract-based Data Protection Officer. It is designed to help the small, non-expert organisation to choose the right DPO consultant. You can find it at this link, in the downloads section of my website.

I have several other guides planned for 2018 – if you have suggestions for things I might write given what I have done so far, you’re always welcome to let me know. I probably can’t do them all, but the folk who ask me the ‘constructive’ question in good faith make a good point, and I’d like to do my small part to clear the fog, and make a positive contribution. And for all those people who think I’m a dick for doing and saying things like this, don’t read the guide. You really won’t like it.

 

Comments

  1. Hello Tim , nice piece of writing and I concur with a lot of what you say. Suggested topics for guides are SME or B2B businesses as they seem to receive the same generic advice as corporates, the other is for schools if you get the time.

  2. Mark Goodspeed says:

    Hello Tim. I enjoy your blog and agree with what you say about lots of new “experts” popping up. For example the “DPOCentre” ( https://www.dpocentre.com ) which is (according to their about-us page) “The DPO Centre is the UK’s national data protection resource centre.”

    Says who? Is this an official body? or a commercial entity. The companies house registration dates to July this year. It looks to me like a commercial consultancy, so how do they get to claim to be “The UK’s national data protection resource centre”

  3. Mark Goodspeed says:

    PS. meant to say thanks for the DPO guide. We (a charity) are trying to work through a) if we need a DPO b) if we appoint internally

%d bloggers like this: