Yas Queen!

One of the features of the GDPR which is superficially similar to the old Data Protection Act but turns out to be quite different is the requirement to provide information about how personal data is being used. The word ‘transparency’ is an inherent part of the GDPR first principle, whereas it was absent from the previous version. The DPA 1998 allowed data controllers to decide what information data subjects needed to know, beyond who the controller was and what purposes their data was being processed for. The GDPR has two similar but distinct lists of information that must be provided, one for where data is obtained from the subject, the other where data is obtained from somewhere else, and they dictate what must be provided in scary detail.

When I first started looking at the GDPR, it was this element that I was most sceptical about. I simply couldn’t believe that organisations would admit where they obtained data from, or how long they were going to keep it. I have an almost completed blog on the boil (stay tuned) which is about the very subject of list brokers covering up where they get personal data from and who they sell it to. So when a friend passed me the ‘Data Protection Privacy Notice for Alumni and Supporters‘ from Queen Mary (University of London), I was amazed to see a clear, transparent explanation of what data was used, for what purposes, and under what legal basis. The only problem is that some of it is bollocks, and some of it deploys an attitude to data that requires a seatbelt and a helmet.

Ironically, because it is a relatively short and easy to read document (four pages of A4 in normal font, written in human English), the nonsense leaps out at you like a chucked spear in a 1950s 3D movie. The notice asserts that for a list of purposes, the University is relying on the legal basis of legitimate interests’. The purposes include:

furthering Queen Mary’s educational and charitable mission (which includes fundraising and securing the support of volunteers

This is, of course, direct marketing. The notice then says:

We may pursue these legitimate interests by contacting you by telephone, email, post, text or social media.

Which would be a PECR breach. The University cannot send emails or texts to alumni without consent, but according to the policy, they can. Of course, some clever person (I have a list of names here) will come along and tell me that since students pay for their education, surely the University can rely on the soft opt-in? Well, for one thing, these are alumni, some of whom may have attended the University decades ago (and Queen Mary freely admits to tracking down ex-students using the Royal Mail’s Change of Address Service). For anyone who didn’t substantially pay for their degree, it doesn’t fly. Moreover, I’ve trained a lot of universities who were understandably squeamish about the idea that a qualification like a degree can be reduced to a mere commodity, like a dishwasher or a new set of tyres.

And there’s more.

If you are registered with the Telephone Preference Service (TPS) but have provided us with a telephone number, we will assume we have your consent to call you on this number until notified otherwise

No. For Pity’s Sake, No. Have the last three years of the world and his dog banging on incessantly about consent (often insisting wrongly that you always need it but OK) been for nothing? There is no such thing as assumed consent. There is no such thing as assumed consent. MATE, ARE YOU HAVING A LAUGH?

It seems odd that because Queen Mary have done something really well, I’m criticising them. To be clear, it’s one of the clearest privacy notices I have ever seen. But it’s not just the unlawful bits that stick out like Madonna’s bra (happy 60th, Your Majesty). The rest of it is, to use my favourite euphemism for this kind of thing, is bold. Students’ personal data will be retained “in perpetuity“. The data held about alumni includes “occupation, professional activities and other life achievements“, “family and spouse / partner details and your relationships with other alumni, supporters and friends” and also “financial information relating to you and your family, including data and estimations around your income, assets and potential capacity to make a gift“. If anyone from Queen Mary is reading this, my friend says not to get your hopes up.

The gleeful description of what data they hold is an amuse bouche to the relish with which Queen Mary describe their use of research. The fundraiser Stephen Pidgeon once told me with great vehemence that fundraisers  couldn’t possibly be frank about the techniques that they deploy. Queen Mary, on the other hand, have more or less had shirts made: “we may gather information about you from trusted publicly available sources to help us understand more about you as an individual and your ability to support the university in ways financial or otherwise“. They explicitly say that they do wealth screening in some cases, and have a long list of possible data sources including Companies House, company websites, “rich lists“, Factiva, Lexis Nexis, “general internet and press searches“, Who’s Who, Debretts People of Today and LinkedIn.

Because I banged on about it so loudly a year or so ago, I should be the first to point out that despite all the bollocks talked about the ICO banning wealth screening, the ICO’s enforcement against charities did not such thing: it fined a number of high-profile charities for doing wealth screening without fair processing. Ostensibly, Queen Mary are simply doing what the ICO demanded by describing the process, but I have a sneaking suspicion that some of Our Friends in Wilmslow might be surprised to see wealth screening being carried out so enthusiastically.

To be frank, I do not believe that Queen Mary can justify processing the personal data of the spouses or family members of alumni in any circumstances, unless with consent. I think it is unfair, they do not have a legitimate interest in processing the data, and it is excessive. I think they and any institution who did the same deserve to be enforced against, or at the very least they should receive a shedload of Right to Be Forgotten Requests from mischievous family members. I am also sceptical about the depth of research that may be carried out into some alumni – it’s clear that it will only be a subset of the whole, but unless we’re talking about a handful of millionaires who might well expect this kind of thing to go on, I think this document is an inadequate way to meet the requirements of transparency. If a university is digging into a person’s background to this extent, it’s a form of processing that a person should directly know about and have a right to prevent. My friend only read this document because she’s in the business – Queen Mary should tell people if they’re subject to this level of profiling.

I know some fundraising consultants who will take issue with this and to be clear, I am not dogmatically saying that QM can’t do this. But seriously, can they do this? Is this what the brave new world of GDPR is all about? My instinct is HELL NO WITH AN AIRHORN FOR EMPHASIS but it would be hilarious if I was wrong, and the GDPR really doesn’t dent this kind of activity. I write this solely to see what other people think. Do you think this kind of thing is OK?

I don’t have a dynamite conclusion to this blog. I could kiss the person who wrote this privacy notice because it’s so plain and well-written, and yet the approach to consent and PECR is so misbegotten, I think whoever came up with it should be cast out into the Cursed Earth without a backwards glance. I don’t believe that Queen Mary can possibly justify the amount of data that they propose to process and the purposes for which they think legitimate interests is an adequate umbrella. But at the same time, the ICO looked at precisely this kind of activity and only really complained about the lack of transparency, which isn’t a problem here. All I can say for certain is that other people are going to get the fundamentals so enthusiastically arse-about-face, and do such interesting things, I demand that they do so with the same clarity.

 

A SMALL ADVERT – if you’d like to know more about this kind of thing, I’m running courses in September and November on GDPR, marketing, how to be a DPO and other big DP issues. Some of the September courses are already full, so book now: https://2040training.co.uk/gdprcourses/

 

“masterclass in not answering questions”

Just about a month ago, I had a little Twitter disagreement with Paul-Olivier Dehaye, patron saint of subject access requests. He said his tool for making subject access was brilliant and revolutionary, and I said it was shit. There was a bit more to it than that, but I was hoping to make this a short blog.

The use of third parties to make subject access requests on one’s behalf is not new – solicitors have always done it, and companies have made batched SARs at least since the bank charges furore of the last decade. The problem with a third party – or automation of the process – is that it gives the Data Controller something to play with. Dehaye admitted to me that in all the time he spent developing his SAR tool, he didn’t speak to anyone with any experience of dealing with SARs from the controller’s perspective, and it shows.

Even though one of Dehaye’s tedious cheerleaders told me that SARs were going to be “frictionless” post-GDPR, there are inevitably some bumps in the road when asking for data even in this Brave New World. The Data Controller needs to identify the application properly, and the involvement of a third party might complicate that – or might be exploited to complicate that, as anyone who has ever dealt with a poorly-written solicitor SAR can probably tell you. If there is a lot of data, the controller can ask the subject to narrow the scope of their request. If they believe that the request is unfounded or excessive, they can make a charge, or even refuse. An automated third party doesn’t make any of this easier.

Ironically given his status as pro-DP activist, I think Dehaye wants SARs to seem difficult. “In my own experience, SARs are complicated to do in a way that properly defends data subject rights” he said, but given that he’s building a business based on data, he kind of would say that. When I first encountered him, Dehaye told me that he was planning to charge subjects for using his tool; while that plan might have changed, he gets evasive when you ask whether he might charge for add-on services in the future. One of the main advantages of GDPR for the subject is that SARs are now free – the best way to exercise the right is to ask for the data direct, without the involvement of a politically-motivated middleman whose company isn’t even in the EU. I voted Remain and I think Brexit is moronic, but that doesn’t mean that weaponising SARs is a good idea. After all, someone might turn round and do it to you.

I decided to make a SAR to Dehaye’s company on the 25th May. His response, though admirably swift, wasn’t exactly the zenith of transparency that one might have hoped for. One might even describe it as a masterclass in not answering questions. I provided a variety of different email addresses and phone numbers that the company might hold in relation to me – the purpose of this was to allow the data controller to identify whether any of my data was held. I did the same thing with my request to Experian – I don’t know what data Experian holds on me, so I provided all the possible identifiers that I could think of. I don’t know what, if any, data Dehaye or his company might hold, so I needed to provide a variety of different identifiers.

EDIT: in response to a request from the data controller, click here for the full text of my request (redacted only to remove personal data that is not in the public domain) and the full text of their reply.

Article 12 of GDPR states that “The controller shall facilitate the exercise of data subject rights under Articles 15 to 22” and shall answer requests unless it “demonstrates that it is not in a position to identify the data subject” – it is plainly correct for the controller to want to know who the applicant is, in order to avoid giving data to the wrong person. However, Recital 64 says that the controller’s measures to identify the subject must be “reasonable“. Dehaye demanded that I send a separate request from each of the email addresses I specified. This means that he thinks that if an organisation has harvested emails from a variety of sources, the controller only has to disclose data if they receive confirmation from that account that it is linked to the subject. So if a person applies from a Gmail account, and the controller has harvested a work email address, even if they have linked the two together, Dehaye doesn’t think that the subject is entitled to the work-related data unless they make a separate request.

Similarly, I provided my home address, my 2 mobile numbers (business and personal) and my landline. Bear in mind, a data controller may have harvested all of this data, so the SAR applicant might need to provide it in order to say this is me, this is my data, do you have it? Dehaye’s response to this part of my request was to demand copies of phone bills for each account, and a recent utility bill for the home address. Clearly, this is the approach he would advocate for any data controller faced with such a request. As it happens, my girlfriend’s name is on the landline account, so I cannot prove that the landline is my personal data, even though it is. One of my mobiles is pay-as-you-go, so I don’t get bills, and the work mobile is on my website, and so can be linked to me without the need for unnecessary proof. As with most people, I receive electronic utility bills, and do not have them immediately to hand. Dehaye’s approach seems to be that if a Data Controller has harvested your data, subject access requires the applicant to provide a lot more personal data in order to get access.

The point of the ID check is to ensure that the person is who they say they are – once that’s done, if the controller has doubts about whether an identifier does link back to the subject (i.e. an email address), they can check, or just send any relevant data to that separate identifier. If Dehaye thinks that his approach is legally correct, there is no reason why Leave.EU, Vote Leave or any other organisation shouldn’t do exactly the same thing if they receive a SAR from now on. When I asked him in April how his tool would deal with the ID element he said “Let’s set the standard” – now we know what that looks like. It looks like giving huge quantities of personal data to someone you don’t trust.

This is a no-win – either Dehaye’s approach is right, and I have to go through an administrative nightmare when SAR-ing organisations that grab data from anywhere they can get it, providing them with a fat dossier of extra information before I can get access, or Dehaye is a hypocrite who complains about hurdles to subject access but builds a wall when asked to practice what he preaches. In any case, if Dehaye’s obstructive and unhelpful approach was correct, it would still be easier to handle without the added complication of a middleman.

UPDATE 28/5/18: Mr Dehaye has admitted that he deliberately adopted an obstructive approach because he thinks I am a trouble-maker. I believe that this is a clear breach of the GDPR; if the Data Controller Personal Data.IO is capable of playing these kinds of games, and deliberately discriminates against data subjects, I think this seriously undermines their credibility to act as an agent for other people’s SARS. The company is setting a cynical, obstructive example, and it would be catastrophic for subject rights if other controllers followed their lead.

Zero Gravity

In March, I received an unsolicited email from a company called Gravicus. It was scaremongering nonsense, touting their data management software via the threat of director liability for data breaches. So far, so what: I get a lot of spammy junk from GDPR people to my 2040 Training email address, but this was to a personal Gmail address that I don’t give out all that often. The email claimed that it had been sent to me because I was “registered on Leadiro”, who I have never heard of. Under PECR, email sent to an address for which I am an individual subscriber can only be sent with consent (or soft opt-in), and given that I had heard of neither Gravicus or Leadiro before the email arrived, they had neither.

I contacted Gravicus to make a subject access request on 20th March, asking how they had obtained my data, what Leadiro had told them and for any other personal data about me that they held. Separately, I contacted Leadiro and asked them why they were selling my data. Leadiro got back to me, and confirmed that they had not supplied my data to Gravicus.

Having had no reply from Gravicus beyond an automated acknowledgement, I emailed them again on April 2nd, asking for confirmation that my request was being dealt with, and also passing on what Leadiro said. A week went by with no acknowledgement, so I wrote to the company’s registered office address and business address, chasing them up.

Gravicus finally reacted on 16th April via a letter from their lawyers, Keystone Law. Keystone admitted on behalf of their clients that the Leadiro story was false, and that my data had been harvested from the “business oriented and professional website” LinkedIn. I apparently connected “voluntarily” with a named Gravicus consultant, who then exported her connections to obtain contact details of “relevant professionals in the sector”. Nearly a month into my request, Gravicus wanted a copy of my passport and utility bill, certified by a lawyer, accountant or similar professional, as well as the £10 fee. I paid the £10 and sent an uncertified copy of my passport. The lawyers still demanded the utility bill as proof of my address, despite the fact that Gravicus’ own version of events shows that they would have nothing to compare it to – they have only ever dealt with me via email or Twitter. In any case, Keystone had already named the individual who harvested my address, so if it was wrong to reply to my subject access request without proof of address, why was it right to give me the name of the consultant? I threatened to complain to the Information Commissioner, and they backed down. I have no doubt that Gravicus took this approach to obstruct my request, which when they had already breached PECR and Data Protection isn’t the best way to resolve a problem.

It is a breach of LinkedIn’s terms and conditions to

  • “Disclose information that you do not have the consent to disclose”
  • “Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn”
  • “Use, disclose or distribute any data obtained in violation of this policy”

Harvesting and using email addresses from LinkedIn in breach of their terms and conditions, without transparency and a legal basis is a clear breach of Data Protection. Gravicus did not have my consent, and by misrepresenting the source of my data in the email that they sent me, they blew any chance of relying on legitimate interests. Their use of my data was unlawful. Gravicus’ lawyers claimed that the confusion over where my data came from was understandable because Leadiro was one source that they were using. But that isn’t true. The CEO of Leadiro told me explicitly: “Gravicus are not a Leadiro customer, and have never been a Leadiro customer“. Added to that, sending a marketing email to an individual subscriber without consent is a breach of PECR, and Gravicus knew I was an individual subscriber because their records had my address marked as ‘Personal’.

Despite the fact that Gravicus’ original spam email touted data breaches as being the personal responsibility of directors, one of the shabbiest things about their response is the way they sought to throw their consultant under the bus. They named her straight away, and claimed that the company didn’t know that she was harvesting emails from LinkedIn, even though their lawyers continually stressed that I had voluntarily made my email available to her. In other words, you asked for it, but we didn’t know it was happening. I don’t believe this, but it doesn’t matter whose idea it was. The directors are responsible for what their company does, not some consultant who blocks people on Twitter when they ask awkward questions. Instead of dealing with me like a human being, Gravicus lawyered up and tried to obstruct my subject access request with bogus demands for unnecessary personal data, itself an additional breach of DP law.

This might seem like a lot of fuss for a spam email. But look at what Gravicus is selling as a data processor. Their product works like this: “Tell Osprey your data sources, provide your access credentials and it will connect automatically to analyse your data“. As a data processor, they will have access to a huge amount of sensitive and possibly special categories personal data held by their clients. The GDPR states that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Gravicus harvested my data unlawfully, they gave me false information about where personal data has been obtained from, they demanded excessive personal data when dealing with my subject access request, and they sent me unlawful unsolicited emails in breach of PECR. They claim that they’ve stopped gathering data in this way, but it never should have happened in the first place, and suggests that the directors don’t know what’s going on in their company. In any case, when caught out, they hide behind their lawyers and consultants instead of dealing direct. Any organisation thinking of using them as a data processor should think long and hard about whether Gravicus can offer the kind of guarantees that GDPR requires.

Checks and balances

A while ago, I was asked by a prospective client to provide a criminal records check before getting a big piece of work. Given that I wouldn’t be handling any personal data or getting access to children or other vulnerable people, it seemed like overkill. The awkward part of me wanted to suggest that the requirement was close to being an enforced subject access request, which would be a criminal breach of Data Protection law. Enforced subject access requests occur where a person is obliged to provide a data controller with the result of a subject access request for criminal records in return for employment or a service.

Then I looked at the number of days’ work they were offering and the pragmatic part of me kicked in. I don’t have a criminal record, so I applied for and sent them a disclosure certificate saying so. It occurred to me that if I tried to make an issue of principle out of it, it might look like I had something to hide. I imagine it’s a terrible situation to be in if you have got a record and are trying to move on, but to be selfish, I don’t and it seemed odd to create the impression that I might have. And I wanted the work.

Last week, a prosecution by the Information Commissioner against the insurance company Hiscox for the enforced subject access offence collapsed. A customer, Irfan Hussain, was attempting to claim on a £30,000 watch he had lost, and Hiscox wanted to see his criminal record before paying out. He refused, and complained to the ICO. The case collapsed when the unlucky horologist was too unwell to give evidence.

I can’t help thinking that this was an odd choice for a prosecution. Even if Hiscox tried to force their customer to provide his information, was this unreasonable? He had already stated that he had no criminal record (according to the FT), so all Hiscox were apparently asking him to do was prove that what he had said was true in the light of his claim. The means by which they proposed to do it might technically have been an enforced subject access request, but there’s surely a difference between something technically being an offence and it being worth mounting a prosecution on it. The provisions contain a public interest defence, and Hiscox’s public comments after the trial suggest that this was their strategy. I suspect it might have worked. Especially as this seems to be the ICO’s first attempt at an enforced subject access case, was this really the best place to start?

The business of criminal records checks overall works in mysterious ways. Hiscox are reported to have asked Mr Hussain to make a subject access request to the Criminal Records Office, which is run by the National Police Chief’s Council. This is not the same as applying to the Disclosure and Barring Service or Disclosure Scotland for a certificate or a disclosure, but having been through the process, I have to admit that I am somewhat confused at the difference.

To get my disclosure, I made a written application, proved my identity and then paid a fee to receive a copy of personal data that related to me, or confirmation that no such information was held. The basic check comes through faster than a subject access request (about 2 weeks, although mine came in matter of a few days) but it’s also more expensive (£25). In my case, nothing was held but that’s neither here or there. There is statutory provision for access to this information via the Criminal Records Bureau set out in the Police Act 1997, replaced by the Disclosure and Barring Service in 2006 via the Safeguarding Vulnerable Groups Act 2006. Someone is going to tell me that applying for a certificate is different to applying for subject access, but that raises some questions. If Hiscox had told Mr Hussain to apply for a certificate like I did, it’s exactly the same outcome – a person is obliged by a data controller to obtain information about their criminal history and then cough it up – but if it’s not subject access, no prosecution could be possible.

An individual can obtain a basic check that shows their unspent convictions and cautions, both of which are listed as a relevant record in the DPA section that creates enforced subject access. The ICO’s guidance doesn’t explain the position if a person was forced to ask for a basic check. That check might not give everything that a data controller might want, but it’s full information about a person’s recent criminal history. If obliging someone to ask for a basic check isn’t enforced subject access, it’s a loophole. But if a basic check is essentially a subject access request by another name, it shouldn’t be £25 now, and it should be free after May 25th.

It’s clear that the DBS doesn’t think that forcing an individual to ask for a basic check would be enforced subject access or illegal in some other way because their website says this:

You can’t carry out a basic check as an organisation – you must ask the person to request their own basic DBS check. A basic check shows unspent convictions and cautions.

This implies that asking a person to carry out a basic check when you can’t make an application yourself is acceptable, even though these are very likely to be circumstances where a person can’t meaningfully refuse. There are no warnings about compulsion during the application process via the DBS website. So why is a subject access request to ACRO magic, acceptable only when uncontaminated by duress, but a basic check isn’t? The amount of data disclosed isn’t exactly the same, but the outcome – being forced to disclose your criminal history when it might be unnecessary or excessive to do so – might be identical.

It took a long time (from 1998 to 2015) for enforced subject access to be fully enacted. Now it’s in force, the Hiscox case doesn’t give cause for optimism that anything will change. I have doubts about whether it was a good idea to prosecute Hiscox, but I have heard first hand terrible stories over the years about data being demanded when it should not have been. Having used the system, the way in which criminal records are made available gives me little confidence that such unnecessary and unfair demands for personal data are properly prevented. After the failure of the Hiscox case, even if only because of an ill-timed illness, the ICO needs to go in again and draw a line somewhere.

Certifiable

The slow progress of GDPR has been agonising. From the beginning, with a series of disputed drafts bouncing around European institutions, we’ve had the fraught last minute negotiations in December 2015, the clouds of doubt cast by the Brexit vote, and finally, through a series of government announcements, apparent confirmation that it was still on track. We’re not there yet – the much-discussed position paper released by the Department for Culture Media and Sport this week is still just the hors d’oeuvres, with the full meal only beginning next month, when the Data Protection Bill itself will be published.

Throughout this seemingly endless grind, there has been one consistent thread, one thing on which the weary GDPR traveller could rely, no matter how much doubt there was elsewhere: the constant stream of bullshit. Everywhere you look, on whatever subject you choose to read about, bullshit everywhere. There is the nonsense about having to have consent, spread by parties as varied as the admirable Rights Info (since corrected) and the GDPR Conference, who sponsored an article about the oncoming Data Protection Apocalypse and then had to withdraw it because it was bollocks. There is the relentless scaremongering about fines that will turn companies into dust, spread by the world and his dog and finally punctured by the Information Commissioner herself, admitting that she would far rather not fine anyone if that’s all the same to you. I’m not certain that waving the white flag this early is the masterstroke that Wilmslow thinks it is, but at least they’ve finally caught up to where I was in April.

Hype is one thing. If I was still a Data Protection Officer, up until today I probably would have shamelessly exploited the bazillion pound fine nonsense if I thought it would persuade my employer to take the changes seriously. Being a DPO is the ultimate thankless task where nobody notices you until somebody else does something stupid and you get the blame, so if the threat of fire and fury gets the chief executive’s attention, it’s nobody else’s business. However, there’s a difference between selling internally, and just plain selling.

As has already been noted by experts more distinguished and less biased than me, there are a lot of new entrants into the market whose experience lies outside the conventional route of Actually Working On Data Protection Ever. This does not stop them from making grand claims. The idea that Carl Gottlieb’s customers already call him ‘The GDPR Guy’ definitely doesn’t sound made up, but it must be confusing for all the people who presumably called him the Anti Virus Guy a few months ago.

If you prefer, perhaps you might try Get Data Protected Reliably Ltd, whose website boldly describes it as “the UK’s leading GDPR Consultancy“, which for a company that was only incorporated three weeks ago is quite an achievement. The owner confirmed to me that he doesn’t have any Data Protection experience, but he is in the process of hiring people who do, so that’s something to look forward to.

You could try GDPR Training (established 25th April, so more than double the experience of Get Data Protected Reliably), and run by the husband and wife team of Emma Green (former IT consultant) and John Green (former Legal Costs Draftsman). The Greens were upset about the fact that people tweeted facts that were in the public domain about them and made some threats about libel, which is odd given that John accused a highly respected DP expert of jumping on the GDPR bandwagon before blocking everyone on Twitter who noticed. Given that they use the same P.O. Box in Wilmslow that I do, at least they won’t have to go far if they want to take issue with this blog.

More pernicious is the sudden rise of the GDPR Certified Practitioner / DPO / Professional. Now here, I have to declare an interest. One of the training courses I run is a four day course with an exam and a project at the end. If you pass both elements of the course, you get a certificate. It’s a practical course designed to get people ready for GDPR (its predecessor did the same for the DPA). Nobody is ‘qualified’ to be a GDPR Data Protection Officer because they complete the course – no course can qualify you for a job that doesn’t really exist yet. Nobody who completes it is ‘GDPR certified’ as a result, because certification in the GDPR context has a very specific meaning that makes such a claim impossible.

To be certified under the GDPR, data processing has to be approved by an accredited certification body. To be an accredited certification body, an organisation has to be approved by the appropriate national body – in the UK, DCMS has announced that the Information Commissioner’s Office and the UK Accreditation Service will carry out this role, but they aren’t doing it yet. Given that Article 42 refers to the certification of “processing operations by controllers and processors“, the mechanism for certifying a product like a training course is unclear. The other important element here is that certification is voluntary. The elements of GDPR that certification applies to do not require it – the organisation is at liberty to find other ways to prove their compliance, which is what many will do.

A GDPR certification may be very useful – a controller or processor can use certification to demonstrate their compliance (a requirement of Article 24), and can also have their DP by design approach certified. It’s obviously appealing to data processors or controllers who are bidding to provide services – the certified cloud provider will undoubtedly be more attractive than the one who is not. But whether many Data Controllers will take it up is an open question – whether a company is certified will make zero difference to consumers.

And we’re not there now, which is why claims about being a ‘Certified’ DPO should be taken with a big pinch of salt. If you say you’re certified, that claim should be very carefully interrogated. If, for example, you mean ‘I have successfully completed an course with an exam and I got a certificate at the end of it’, fair enough. But is that what most people will think when they see you describe yourself as a ‘Certified DPO Practitioner‘? Will anyone think you’ve just been on a training course (however good that course might be), especially if your company website says the following:

  • GDPR Practitioners – As certified practitioners we can assist you through the new data law minefield.
  • Data Protection Officers – We are qualified to act as outsourced DPOs to consult on data protection issues.

In the GDPR world, ‘certified’ is a big word; ‘certificated’ is a much more accurate one, but it doesn’t have the same heft. The question is, why not use the right word? All of these courses – including mine – are certificated – there’s a test at the end, and you get a certificate. Claiming to be ‘GDPR certified’ sounds like a process that hasn’t started yet.

Some training companies do have external accreditation of their courses, so when they say that they are offering a “Certified EU General Data Protection Regulation (GDPR) Training Course”, surely that is worth more? IT Governance, for example, offer a range of Certified GDPR courses that have been accredited by the International Board for IT Governance Qualifications, which is obviously different because the IBITGQ is an external body whose training and examination committees are staffed by “industry experts”. The IBITGQ currently only accredits one organisation (IT Governance) and though they are open to accrediting other organisations, they refuse to take anyone else from the United Kingdom.

The names of the ‘industry experts’ aren’t available on the IBITGQ website, so I asked IT Governance who the “industry experts” on the IBITGQ committees were, but they refused to tell me and told me to ask the IBITGQ itself. I asked them, but they didn’t acknowledge my email. Meanwhile, people who have been the IT Governance courses are describing themselves as ‘GDPR Certified Practitioners’, and I’m not sure what that means. The IBITGQ may be doing a sterling job, but the accreditation they offer to a single training company has nothing to do with GDPR certification. They are not accredited in the UK to offer GDPR certification, because no-one is.

I’m not saying that IT Governance want to create any confusion, I don’t know anyone who has actually done the course, and I have no idea what it is like. Nevertheless, no-one should be using the word ‘Certified’ in a GDPR context until the certification process actually starts. It is impossible to have a GDPR certification at the moment, and anyone who has completed or delivered any kind of training on the subject knows this better than most.

The idea of a GDPR seal (also encouraged in Article 42) will be revolutionary in the training business – once courses or organisations can have a GDPR kite mark, it will be difficult to trade without one. I don’t know whether to look forward to the dawn of the DP seal or not, but it’s coming and I will have to get used to it. In the meantime, it’s important that everyone who is buying training or consultancy looks at the bona fides of the provider. Anyone with ‘GDPR’ in their name probably doesn’t have a long history of Data Protection experience, and given that GDPR is evolutionary not revolutionary, that’s a problem. Anyone with a predominantly IT security background is an expert in one part of the GDPR, not the whole of it. And anyone who describes themselves as ‘Certified’ should be asked plainly and simply: beyond getting a certificate, what does that mean?