The Curse of the Padlock

One of the dangers of working in Data Protection is the risk of becoming a pedant. Precision matters; court cases have turned on the meaning of individual words like ‘likely’ and ‘distress’. The legislation is a maze of definitions and concepts that the competent practitioner needs to get to grips with. Lazy thinking can be revealed by an inability to get the details right, so it’s possible to become obsessed with the detail. Even the BCS Data Protection exam has a question which requires you to list the elements of the definition of consent in the right order. It’s easy to lapse into pedantry, to point out every wrongly quoted article, every jumbled phrase.

Nevertheless, getting a simple thing right is often important. GDPR does not cover ‘personal identifiable information’; it covers ‘personal data’ and the definition of the two is not the same. A person who talks about PII in the context of European Data Protection is starting in the wrong place (the US), and can make mistakes as a result. Another error that seems to be creeping in all over the place is more profound, and risks entrenching one of the biggest misconceptions about how data protection works, a misconception many of us have spent years trying to break down.

The problem is the phrase ‘data privacy’.

I see it everywhere – on LinkedIn naturally, in news coverage of the sector, and predictably, the ICO has fallen for it. They describe themselves as “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” Look at the Data Privacy Advisory Service, who summarise their services as “At DPAS we help organisations safeguard the fundamental human right to have data kept private by putting in place the best possible protection to keep it secure. This is delivered in line with the General Data Protection Regulation (GDPR) and The Data Protection Act 2018.”

The idea is nonsense. It doesn’t exist. There is no right to data privacy – there is certainly no fundamental right ‘to have data kept private’. This isn’t a snide dig at someone quoting the wrong article. The concept of ‘data privacy’ is a complete misunderstanding of what Data Protection is for, and everyone who promotes it is actively thwarting the efforts of the rest of us to implement data protection in a practical way.

Article 8 of the European Convention on Human Rights says: ‘Everyone has the right to respect for his private and family life, his home and his correspondence“. This right is not absolute; it can be interfered with (only when necessary) in the interests of “national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others“. The right is not just about data – it certainly can be, as is evidenced by cases where celebrities and others use the privacy right to prevent the use of images that breach their right to privacy. But the right to privacy doesn’t have to be about data at all – you can breach a person’s right to privacy by simply observing them, by being in a place where they expect privacy, or by denying them the opportunity to do something privately. Data doesn’t have to come into it.

Clearly, if you did a Venn diagram, there would be circumstances where privacy and data protection overlap. By following the Data Protection principles when you handle a person’s private correspondence for example, you probably also do what’s necessary to protect their privacy. The same is true for confidentiality – not all confidential data is personal data, but a decent stab at the principles will probably respect both. There is, however, a significant portion of the Venn diagram where Data Protection and Privacy do not meet, and the DP part of that is important.

The notion of ‘Data Privacy’ obscures two vital elements of Data Protection. First, data protection is not only about private data. It is covers all personal data, private, secret, and public. For years, I have been banging my head against the brick wall of ‘it’s not personal data, it’s in the public domain’. Trying to explain to people that data like photographs, email addresses and other publicly available data is still personal data, just available and easier to use than some other data has long been a difficulty. There was a chink of light in Article 14 of the GDPR which clearly states that a person should be informed even when their data is accessed from ‘publicly accessible sources’. This explicit recognition that public data is still personal data is very helpful, but the notion that ‘data protection’ and ‘data privacy’ are interchangeable muddies the waters again.

Second, in related news, GDPR is not about keeping data private; it is about ensuring that personal data processing is properly regulated. For years, Data Protection has been plagued by the padlock. The Information Commissioner used it as a logo (‘but the padlock is unlocked’ is a defence that umpteen different ICO folk have used when I complained about it), and when I did a Google image search for ‘Data Protection’ today, this is the top set of results:

Screenshot 2019-05-26 at 09.17.53

The problem with the Data Protection Padlock is that it presents the legislation as something that locks data up, keeps it away from people. This understanding of data protection leads directly to the belief that disclosure of personal data is inherently problematic and exceptional, and that belief is toxic. I’m not persuaded that Victoria Climbie or Peter Connelly died solely because data about them wasn’t shared, but the pervasive fear of data sharing didn’t help. The GDPR says that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right‘. The word ‘privacy‘ isn’t mentioned anywhere beyond a reference in a footnote to the ePrivacy Directive, and the processing of personal data is firmly put in the context of operating the EU’s internal market: “This regulation is intended to contribute to the accomplishment of an area of freedom, security and justice, and of an economic union“.

You can’t achieve the economic union by locking all the data away, by keeping it private. To characterise data protection law as being about ‘data privacy’ is to misrepresent its purpose completely. European Data Protection is a compromise – trade is underpinned by the use, even the exploitation of personal data, but people have rights, they have control over their data in some (but not all) circumstances, and the legislation built on foundations of transparency and fairness, not privacy. Arguably, the GDPR tries to even up the power imbalance in some circumstances, but it is not designed to lock up data and keep it private.

Of course, some people might be using ‘privacy’ as a synonym for ‘secure’ – the DPAS statement above seems to elide the two. Only a fool would want to play down the importance of security in the context of using any personal data, but the reduction of Data Protection solely to security is as destructive to a proper understanding of it as the privacy / protection mess. We’ve managed to drag Data Protection out of the IT department, and we need to stamp on this idea that security is the exemplar of good DP practice. Your data can be private and secure, but kept for no good reason, for too long, in an inaccurate state, and there could be too much of it.

Some personal data is private and should remain so. In many situations, the processing of personal data without an eye on people’s legitimate expectations of privacy, especially when monitoring, watching or listening to them, is likely to be unfair and so unlawful. There is a strong link between Data Protection and Privacy, and any attempt to divorce them would be stupid. But the use of ‘data privacy’ as a synonym for data protection is misleading and dangerous – it perpetuates a fundamental misreading of what the legislation is for, and makes the lives of everyone trying to make GDPR work effectively a thousands times harder. It’s time to take this nonsense, lock it up and throw away the key.

Head in the Sandbox

The Information Commissioner’s Office recently held a workshop about their proposed Regulatory Sandbox. The idea of the sandbox is that organisations can come to the ICO with new proposals in order to test out their lawfulness in a safe environment. The hoped-for outcome is that products and services that are at the same time innovative and compliant will emerge.

There is no mention of a sandbox process in the GDPR or the DPA 2018. There is a formal mechanism for controllers to consult the ICO about new ideas that carry high risk (prior consultation) but the circumstances where that happens are prescribed. It’s more about managing risk than getting headlines. Unlike Data Protection Impact Assessments, prior consultation or certification, the design and operation of the sandbox is entirely within the ICO’s control. It is important to know who is having an influence its development, especially as the sandbox approach is not without risk.

Although Mrs Denham is not above eye-catching enforcement when it suits her, the ICO is often risk averse, and has shown little appetite for challenging business models. For example, the UK’s vibrant data broking market – which is fundamentally opaque and therefore unlawful – has rarely been challenged by Wilmslow, especially not the bigger players. They often get treated as stakeholders. The sandbox could make this worse – big organisations will come with their money-making wheezes, and it’s hard to imagine that ICO staff will want to tell them that they can’t do what they want. The sandbox could leave the ICO implicated, having approved or not prevented dodgy practices to avoid the awkwardness of saying no.

Even if you disagree with me about these risks, it’s surely a good thing that the ICO is transparent about who is having an influence on the process. So I made an FOI request to the ICO, requesting the names and companies or organisations of those who attended the meeting. As is tradition, they replied on the 20th working day to refuse to tell me. According to Wilmslow, disclosure of the attendees’ identities is exempt for four different reasons. Transparency will prejudice the ICO’s ability to carry out its regulatory functions, disclosure of the names of the attendees is a breach of data protection, revealing the names of the organisations will cause them commercial damage, and finally, the information was supplied with an expectation of confidentiality, and so disclosure will breach that duty.

These claims are outrageous. DPIAs and prior disclosure exist, underpinned both by the law and by European Data Protection Board guidance. Despite the obvious benefits of developing a formal GDPR certification process (both allowing controllers to have their processing assessed, and the creation of a new industry at a time when the UK needs all the economic activity it can get), the ICO’s position on certification is supremely arrogant: “The ICO has no plans to accredit certification bodies or carry out certification at this time“. A process set out in detail in the GDPR is shunned, with the ICO choosing instead to spend huge amounts of time and money on a pet project which has no legal basis. Certification could spread expertise across the UK; the sandbox will inevitably be limited to preferred stakeholders. If they’re hiding the identities of those who show up to the workshop, it’s hard to imagine that the actual process will be any more transparent.

The ICO’s arguments about commercial prejudice under S43 of FOI are amateurish: “To disclose that a company has sent delegates to the event may in itself indicate to the wider sector and therefore potential competitors that they are in development of, or in the planning stages of a new innovative product which involves personal data“. A vital principle of FOI is that when using a prejudice-based exemption, you need to show cause and effect. Disclosure will or will be likely to lead to the harm described. How on earth could a company lose money, or become less competitive, purely because it was revealed that they attended an ICO event (which is what using S43 means)?

The ICO’s personal data and confidentiality arguments are equally weak – everyone who attended the meeting would know the identities of everyone else, and all were acting in an official or commercial capacity. This was not a secret or private meeting about a specific project; anyone with an interest was able to apply to attend. Revealing their attendance is not unfair, and there is plainly a legitimate interest in knowing who the ICO is talking to about a project into which the office is putting significant resources, and which will have an impact on products or services that may affect millions of people. The determination to hide this basic information and avoid scrutiny of the sandbox process undermines the credibility of the project itself, and makes the ICO’s claim to be an effective defender of public sector transparency ever more hypocritical.

Worst of all, if disclosure of the attendees’ identity was the calamity for commercial sensitivity and personal data that the ICO claims it to be, there should be an immediate and thorough investigation of how the information I requested came to be revealed on the ICO’s website and twitter account. The entire event was recorded and a promotional video was released. Several attendees (whose names and companies I cannot be given because of confidentiality, data protection and commercial prejudice) are identified and interviewed on camera, while there are numerous shots of other attendees who are clearly identifiable. Either the ICO has betrayed the confidentiality and personal data rights of these people, putting their companies at direct commercial risk, or their FOI response is a cack-handed attempt to avoid legitimate scrutiny. Either way, I strongly recommend that the left hand and the right hand in Wilmslow make some rudimentary attempts to get to know one another.

Long ago, I was one of a number of online commentators described by the ICO’s comms people as a ‘driver of negative sentiment’. More recently, one of Denham’s more dedicated apologists accused me of being one of the regulator’s “adversaries”. I’m not a fan of the ICO, and I never have been. But this stinks. The determination to throw every conceivable exemption at a simple request to know who the ICO is talking to suggests that the office is afraid of scrutiny, afraid of having to justify what they’re doing and how they’re doing it. The incompetence of refusing to give me information that is on display on their website and Twitter account shows contempt for their obligations as an FOI regulator. The ICO has its head in the sand; as we drift out of the European mainstream into a lonely future on the fringes, their secrecy and incompetence should be matters of concern for anyone who cares about Data Protection.

Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

and

the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.

Stinking Badges

The list of things that annoy me about the explosion of hype and bullshit around GDPR is long and boring (NOTE TO SELF: this list should be a blog post of its own). I cannot say that top of the list are those badges that folk give their products, boasting about being “GDPR Ready”, or “GDPR Compliant” when nobody actually knows what being ready or compliant looks like, but they’re top five.

Screen Shot 2018-01-16 at 21.45.42.png

I was complaining about this on Twitter, and lovely people who enjoy seeing me annoyed started to send me examples of these badges from across the internet. It is via this route that I came to Emailmovers, a data broker who make luxurious claims about their data and its relationship to the GDPR.

Not only do Emailmovers have a badge, they claim to have been working closely with both the Direct Marketing Association and the Information Commissioner’s Office on GDPR issues. Indeed, until someone kicked up a fuss about it, Emailmovers had the Information Commissioner’s logo on their website. The logo has gone now, but if you work out where it was and click, there is an invisible link to the ICO’s website where it used to be.

Emailmovers certainly put up a strong case about the nature of the data they’re selling:

1) We are clear with individuals why we need their data at the point of collection
2) We always use clear and concise language appropriate for our target audience
3) We give individuals control over their data. They are always able to decide whether to share their personal data with us or not
4) Under the GDPR principle accountability, Emailmovers is able to demonstrate that we are compliant. We always record the legal grounds for processing an individual’s personal data

I can’t say that any of this is untrue, although I am sceptical. Generally, I think that the data broking industry is irredeemable, incapable of operating lawfully either now or in the future. The data broker acquires data, accumulates and appends it, and then sells it to clients. This is the opposite of fair. However, and wherever the data was obtained from, whatever transparency or fair processing was given to the subject, it would be vague. It could not say which specific organisations would receive the data, and often, it could not even say which sectors. The data broker does not know – they sell to whoever is buying. This kills consent – which was supposed to be informed and specific since 1995 – and it kills legitimate interest. How can you assess the effect on the subject if you don’t know when obtaining the data what you’re going to do with it? If a data broker obtained individual email data under legitimate interest, they couldn’t sell it on for marketing purposes, because the client will not have consent to send the marketing in question by email.

None of this will stop the data broking industry from carrying on – when some of the biggest brokers are ICO stakeholders whose activities have gone unchecked for decades, it’s hard to imagine that the GDPR will make much of a difference.

Nevertheless, there was one thing about all this that I was able to check. I made an FOI request to the ICO asking about contact that Emailmovers had had with the Commissioner’s Office, particularly with the policy and liaison teams. If Emailmovers really had been working closely with the ICO, there would be evidence of this, right? The ICO’s response was revealing:

There was no direct contact between Emailmovers and our Strategic Liaison/ policy department concerning advice about GDPR.”

Emailmovers had made a couple of enquiries – ICO was too cautious to tell me what they asked, but they supplied the replies which offer no more than a simple (but accurate) explanation that business to business communications are covered by the GDPR, a brief observation that the ePrivacy Regulation is coming but we cannot be sure what it will say, and separately, a straightforward note that even corporate subscribers need fair processing. This is not working closely with the ICO – they asked a couple of questions and got short polite answers. There are no meetings, no detailed correspondence, nothing at all to suggest anything approaching the relationship they boast about here:

Screen Shot 2018-01-16 at 21.47.35

I can honestly say that I am in regular contact with the ICO about a variety of matters. It sounds good, but it’s true only because I nearly gave evidence in one of their prosecutions (they didn’t need me in the end), I make a lot of FOI requests to them, and I tweet at them almost daily.

I don’t accept that making a couple of enquiries equates to working closely with someone. The fact that Emailmovers make this claim on their website, and displayed the ICO logo prominently until recently makes me very uneasy about the other things they say. The GDPR sector is full of bullshit and exaggeration, fake certifications, hokey badges and bluster. As we near the supposed cliff edge of May 25th, we should all take the time to check every claim with great scepticism, and to treat the badge-toting hordes with the same caution that Humphrey Bogart treated a certain bogus Federale:

Certifiable

The slow progress of GDPR has been agonising. From the beginning, with a series of disputed drafts bouncing around European institutions, we’ve had the fraught last minute negotiations in December 2015, the clouds of doubt cast by the Brexit vote, and finally, through a series of government announcements, apparent confirmation that it was still on track. We’re not there yet – the much-discussed position paper released by the Department for Culture Media and Sport this week is still just the hors d’oeuvres, with the full meal only beginning next month, when the Data Protection Bill itself will be published.

Throughout this seemingly endless grind, there has been one consistent thread, one thing on which the weary GDPR traveller could rely, no matter how much doubt there was elsewhere: the constant stream of bullshit. Everywhere you look, on whatever subject you choose to read about, bullshit everywhere. There is the nonsense about having to have consent, spread by parties as varied as the admirable Rights Info (since corrected) and the GDPR Conference, who sponsored an article about the oncoming Data Protection Apocalypse and then had to withdraw it because it was bollocks. There is the relentless scaremongering about fines that will turn companies into dust, spread by the world and his dog and finally punctured by the Information Commissioner herself, admitting that she would far rather not fine anyone if that’s all the same to you. I’m not certain that waving the white flag this early is the masterstroke that Wilmslow thinks it is, but at least they’ve finally caught up to where I was in April.

Hype is one thing. If I was still a Data Protection Officer, up until today I probably would have shamelessly exploited the bazillion pound fine nonsense if I thought it would persuade my employer to take the changes seriously. Being a DPO is the ultimate thankless task where nobody notices you until somebody else does something stupid and you get the blame, so if the threat of fire and fury gets the chief executive’s attention, it’s nobody else’s business. However, there’s a difference between selling internally, and just plain selling.

As has already been noted by experts more distinguished and less biased than me, there are a lot of new entrants into the market whose experience lies outside the conventional route of Actually Working On Data Protection Ever. This does not stop them from making grand claims. The idea that Carl Gottlieb’s customers already call him ‘The GDPR Guy’ definitely doesn’t sound made up, but it must be confusing for all the people who presumably called him the Anti Virus Guy a few months ago.

If you prefer, perhaps you might try Get Data Protected Reliably Ltd, whose website boldly describes it as “the UK’s leading GDPR Consultancy“, which for a company that was only incorporated three weeks ago is quite an achievement. The owner confirmed to me that he doesn’t have any Data Protection experience, but he is in the process of hiring people who do, so that’s something to look forward to.

You could try GDPR Training (established 25th April, so more than double the experience of Get Data Protected Reliably), and run by the husband and wife team of Emma Green (former IT consultant) and John Green (former Legal Costs Draftsman). The Greens were upset about the fact that people tweeted facts that were in the public domain about them and made some threats about libel, which is odd given that John accused a highly respected DP expert of jumping on the GDPR bandwagon before blocking everyone on Twitter who noticed. Given that they use the same P.O. Box in Wilmslow that I do, at least they won’t have to go far if they want to take issue with this blog.

More pernicious is the sudden rise of the GDPR Certified Practitioner / DPO / Professional. Now here, I have to declare an interest. One of the training courses I run is a four day course with an exam and a project at the end. If you pass both elements of the course, you get a certificate. It’s a practical course designed to get people ready for GDPR (its predecessor did the same for the DPA). Nobody is ‘qualified’ to be a GDPR Data Protection Officer because they complete the course – no course can qualify you for a job that doesn’t really exist yet. Nobody who completes it is ‘GDPR certified’ as a result, because certification in the GDPR context has a very specific meaning that makes such a claim impossible.

To be certified under the GDPR, data processing has to be approved by an accredited certification body. To be an accredited certification body, an organisation has to be approved by the appropriate national body – in the UK, DCMS has announced that the Information Commissioner’s Office and the UK Accreditation Service will carry out this role, but they aren’t doing it yet. Given that Article 42 refers to the certification of “processing operations by controllers and processors“, the mechanism for certifying a product like a training course is unclear. The other important element here is that certification is voluntary. The elements of GDPR that certification applies to do not require it – the organisation is at liberty to find other ways to prove their compliance, which is what many will do.

A GDPR certification may be very useful – a controller or processor can use certification to demonstrate their compliance (a requirement of Article 24), and can also have their DP by design approach certified. It’s obviously appealing to data processors or controllers who are bidding to provide services – the certified cloud provider will undoubtedly be more attractive than the one who is not. But whether many Data Controllers will take it up is an open question – whether a company is certified will make zero difference to consumers.

And we’re not there now, which is why claims about being a ‘Certified’ DPO should be taken with a big pinch of salt. If you say you’re certified, that claim should be very carefully interrogated. If, for example, you mean ‘I have successfully completed an course with an exam and I got a certificate at the end of it’, fair enough. But is that what most people will think when they see you describe yourself as a ‘Certified DPO Practitioner‘? Will anyone think you’ve just been on a training course (however good that course might be), especially if your company website says the following:

  • GDPR Practitioners – As certified practitioners we can assist you through the new data law minefield.
  • Data Protection Officers – We are qualified to act as outsourced DPOs to consult on data protection issues.

In the GDPR world, ‘certified’ is a big word; ‘certificated’ is a much more accurate one, but it doesn’t have the same heft. The question is, why not use the right word? All of these courses – including mine – are certificated – there’s a test at the end, and you get a certificate. Claiming to be ‘GDPR certified’ sounds like a process that hasn’t started yet.

Some training companies do have external accreditation of their courses, so when they say that they are offering a “Certified EU General Data Protection Regulation (GDPR) Training Course”, surely that is worth more? IT Governance, for example, offer a range of Certified GDPR courses that have been accredited by the International Board for IT Governance Qualifications, which is obviously different because the IBITGQ is an external body whose training and examination committees are staffed by “industry experts”. The IBITGQ currently only accredits one organisation (IT Governance) and though they are open to accrediting other organisations, they refuse to take anyone else from the United Kingdom.

The names of the ‘industry experts’ aren’t available on the IBITGQ website, so I asked IT Governance who the “industry experts” on the IBITGQ committees were, but they refused to tell me and told me to ask the IBITGQ itself. I asked them, but they didn’t acknowledge my email. Meanwhile, people who have been the IT Governance courses are describing themselves as ‘GDPR Certified Practitioners’, and I’m not sure what that means. The IBITGQ may be doing a sterling job, but the accreditation they offer to a single training company has nothing to do with GDPR certification. They are not accredited in the UK to offer GDPR certification, because no-one is.

I’m not saying that IT Governance want to create any confusion, I don’t know anyone who has actually done the course, and I have no idea what it is like. Nevertheless, no-one should be using the word ‘Certified’ in a GDPR context until the certification process actually starts. It is impossible to have a GDPR certification at the moment, and anyone who has completed or delivered any kind of training on the subject knows this better than most.

The idea of a GDPR seal (also encouraged in Article 42) will be revolutionary in the training business – once courses or organisations can have a GDPR kite mark, it will be difficult to trade without one. I don’t know whether to look forward to the dawn of the DP seal or not, but it’s coming and I will have to get used to it. In the meantime, it’s important that everyone who is buying training or consultancy looks at the bona fides of the provider. Anyone with ‘GDPR’ in their name probably doesn’t have a long history of Data Protection experience, and given that GDPR is evolutionary not revolutionary, that’s a problem. Anyone with a predominantly IT security background is an expert in one part of the GDPR, not the whole of it. And anyone who describes themselves as ‘Certified’ should be asked plainly and simply: beyond getting a certificate, what does that mean?