Role playing

A few weeks ago, the Data Protection world was shaken by a decision from the Belgian DP Authority to fine an organisation €50,000 after they appointed their Head of the Compliance, Risk Management and Audit department as their Data Protection Officer. I’ve commented before about my frustration that too many organisations are unable to comprehend the independence and relative freedom of the DPO role as anything other than a senior-level job – in such places, the role is a DPOINO, a Data Protection Officer In Name Only, with a younger, more junior but much more expert person actually carrying out the role. The DPOINO in these organisations is usually a middle-aged white man, and the real DPO is a younger woman. I imagine you are shocked to read this.

The Belgian decision is not ridiculous – it is difficult for someone in a senior position to escape decisions about hiring and firing (for example) or system design, activities that risk dragging the incumbent into determining the purposes. If the DPO was less senior, even in the same department, the risk of conflicts of interests would be lower. There are better, more imaginative models, but I think seniority is always fatal. Needless to say, some commentators have drawn more other conclusions.

Writing for Scottish Housing News, Daradjeet Jagpal questioned whether it was time for his audience (Registered Social Landlords in Scotland) to review their DPO appointments. Despite this being a single case in a foreign jurisdiction with tenuous direct application to a non-EU country like the UK, Jagpal fell back on the consistency mechanism, and warned his readers that the ICO might adopt the same approach, skipping over the fact that Wilmslow’s approach to the GDPR has been to go to sleep. A quick survey of the possible candidates – mainly heads of various RSL departments – do not make the grade for Jagpal, and rather patronisingly, he dismisses the idea that a Corporate Services Officer would be “comfortable or sufficiently confident to challenge the CEO on non-compliance“. Take that, many DPOs who I know and love.

Jagpal comes to the conclusion that “The obvious solution is for RSLs to appoint an external DPO” which is remarkable, given that Jagpal is described in the article as “a leading provider of outsourced DPO services to RSLs across Scotland“. I’m not suggesting that he’s is over-egging the Belgian decision for nakedly commercial purposes, but he does place weirdly heavy emphasis on EU standards and pressures which are clearly either dead or dying for Brexit Britain, and he barely entertains the idea that Scottish RSLs might just appoint a DPO in-house.

To be fair, the Belgian decision is a real thing that happened, and while I disagree with Jagpal’s assessment of its implications, he’s accurately described the situation. The same cannot be said of everyone in the outsourced DPO sector. In a webinar hosted by everyone’s favourite LinkedIn spammers, Data Protection World Forum, the CEO of The DPO Centre, Rob Masson decided to get creative. Masson spoke of the “quite strict guidelines” (AKA legal requirements) about who can be a DPO and the importance of avoiding conflicts of interest. He went on to say “we’ve got to remember that the role of the Data Protection Officer is to represent the needs of the Data Subjects. It’s not necessarily to represent the needs of the organisation.”

None of the specified DPO tasks refer to data subjects. They require a DPO to advise the organisation on data protection matters, monitor its compliance with the GDPR and other laws, advise on and monitor the effectiveness of data protection impact assessments, and liaise with the Information Commissioner’s Office. If you wanted to be exceptionally generous to Masson, you could interpret the whole of the GDPR as reflecting the needs of data subjects to have their personal data properly regulated, and from there spin the DPO’s role as a facilitator of that. But that’s also nonsense. It’s as much in the interests of an organisation that the personal data they use is accurate and secure as it is for data subjects. The GDPR sometimes allows controllers to retain data despite a subject’s objection, to keep processing secret from them when it might prejudice certain purposes, and to balance their own wish to use data against the impact on the subject, deciding to use it without consent when they think they’ve assessed the situation properly.

If we’re talking about the needs of the organisation, I’d argue that most of the GDPR’s requirements reflect the needs of the controller. Some organisations are too lazy or stupid to see it, or they’re getting advice from the wrong people. It might seem like disposing of personal data that you genuinely don’t need any more is an unwelcome imposition, but it’s very much the healthy option. To use Masson’s own word, GDPR is the spinach that the organisation *needs*, even if it might prefer the Big Mac and Fries of not thinking about it.

A77 gives the subject the “right” to lodge a complaint with the relevant supervisory authority. A39(1)(a) says that the DPO “shall” inform and advise the organisation of their obligations. Contrast these provisions with the words in A38(4), the only element of the DPO articles that refers to subjects: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” This obviously means that the DPO ought to be accessible to data subjects (one of my objections to senior DPOs is that they won’t go for this), but it also shows Masson’s version to be fantasy. There is no right to reply, no hint that the DPO is the subject’s advocate or representative. They’re at best a conduit for concerned subjects.

Obviously, the DPO isn’t just the loyal servant of the organisation, and they have to reconcile being an employee and an independent advisor. I disagree with Jagpal’s dismissal of junior officers as being capable of standing up to CEOs because I know so many who do it regularly. But he’s reflecting a real problem that many DPOs face. If the senior people don’t want to take the DPO’s advice, they are in an invidious position. Until the ICO shows that it is willing to back DPOs in these kinds of situations, it’s going to remain a precarious and stressful job for those facing unsympathetic management. Masson’s characterisation can only make this worse, feeding a perception that the DPO is not even there to help the business, but to pursue the interests of data subjects. Subjects come in all shapes and sizes, but some of them are hostile, difficult and aggressive, and telling a CEO who already doesn’t take data protection seriously that their DPO represents these people’s interests is toxic. This snake-oil may seem slick on a bullshit webinar, but if this unhelpful message reaches workplaces with already unsympathetic management, it’s going to make the work of beleaguered DPOs even harder.

I wonder if it’s a coincidence that Masson’s misreading of the GDPR could benefit his business – if the DPO really is there to serve the needs of the data subject, doesn’t an external figure make more sense than an in-house officer who won’t be doing what you want them to do anyway? There’s nothing in the GDPR that would make you think that this version of the DPO is correct, so it has to come from somewhere. If that’s it, rather than simple ignorance, I wonder if Masson has the guts to try to hawk this stuff in a forum where people might actually challenge him.

At this point, you might be thinking, so what? People talk shite to get business. They predict SARmageddons. They shout about 4% of annual turnover fines. They claim that first-tier decisions in Belgium should make you change your DPO.  Does it matter? Doesn’t every sector have its share of hype and froth? The answer is that I have to work in this one, and I think the truth matters. I also have to clean up other people’s bullshit. I have to overcome the hype and the scaremongering spread around by the other people in my industry. I know the popular mantra is that commercial folk should all be pitching in and helping each other, but by spreading misinformation, the likes of Rob Masson are already not doing that, so why should I?

The Information Commissioner’s Office isn’t going to enforce against organisations with an imperfect DPO choice – perhaps they should, but they won’t. They’ve done one GDPR fine in two years and I doubt we’ll see another one in 2020. Sidelined by government in the coronacrisis, facing a review from the DCMS (pointedly not postponed despite the pandemic) and humiliated by the collapse of multiple high profile actions, the ICO is an irrelevance. I’ll be surprised if they survive in their current form. The reason to choose the right DPO is that an independent, challenging person in the role will help organisations to make intelligent decisions that will build a culture of more secure, more accurate, more effectively used data. The DPO isn’t the voice of the subjects, they’re a valuable asset there to guide and assist the organisation. I won’t sell a single course place by saying so, but that doesn’t make it any less true.

 

Lateral Thinking

Last week, I wrote a blog about the ‘personal data agency’ Yo-Da, outlining my concerns about their grandiose claims, the lack of detail about how their service works and their hypocritical decision to ignore a subject access request I made to them. Predictably, this led to further online tussles between myself and Benjamin Falk, the company’s founder and ‘chief talker’. As a result of our final conversation, Yo-Da has effectively disappeared from the internet. Clearly, I touched a nerve.

Yo-Da’s website made concrete claims about what their service did, and in fact had done. There were testimonials from satisfied users, and three case studies. Although it was clear that the service wasn’t operating yet, the testimonials were unambiguous: here is what Yo-Da has done for me. There was no hint that they were fictional, nothing to suggest that the service couldn’t do what the site said.

Yo-Da systematically and automatically exercises your data rights

+

Use Yo-Da to ask any company in Europe to delete your personal information

User ‘Samuel’ claimed “Now I go to Yo-Da, search for the company whose (sic) been breached, and with 1-click find out what is happening with my personal information”, while ‘Nathan’ said “Yo-Da was simple to use and helped me understand just how many businesses in Europe have my data.

None of this is true. Yo-Da do not have a working product that does these things. As Falk put it to me “Our technology is still under development” and “We have some ideas that are working. They aren’t perfect.” I am not saying that Yo-Da aren’t developing an automated data rights service; I’m certain that they are. I’m not saying a product will never launch; I expect that it will and I am looking forward to it, though perhaps not for the same reason as Samuel and Nathan. The point is, it doesn’t exist now and the website said that it did.

Originally, Falk claimed that he had deliberately ignored my subject access request because it was unfounded. ‘Unpleasant’ people like me don’t have data rights, he claimed. This didn’t sound right, especially as after I published my blog, Yo-Da’s DPO (Trilateral Research) suddenly woke up and tried to process my request, as if this was the first they’d heard of it. During our correspondence, they made it clear that they agreed with Falk’s decision that my request was unfounded, but were silent on the decision to ignore it.

But in my argument with Falk, he admitted the truth “We have an outsourced DPO for a reason; we can’t afford a full time one. That’s why the SAR went ignored; our service isn’t live yet and so we didn’t expect to receive any requests, because we aren’t collecting any personal data on anyone

In a single tweet, Falk said a lot. He was admitting that all of the testimonials and case studies were fake (he ultimately said to me that they were “obviously fake”). At the same time, he was also not telling the truth. Falk said that the website was a “dummy” to “gauge interest”. In other words, the site exists as an advert for a theoretical service, but its other purpose is to persuade people to sign up to Yo-Da’s mailing list. It was designed to collect personal data. Yo-Da were saying ‘sign up with us to use this service that actually works’. I believe that this is a direct breach of the first GDPR principle on fairness and transparency. I want to know why Trilateral Research acted as a DPO for an organisation that did this.

Falk said that he was joking when he said that he ignored my request on purpose, but Trilateral didn’t acknowledge that. They wrote of a ‘delay’ in acknowledging my request, but concurred with Falk’s unfounded decision. That decision was never made; my SAR was just missed. Nobody was checking the ‘dpo@yo-da.co’ email account – Falk wasn’t, and neither were they, despite being the putative DPO. Either they didn’t know what had happened, or they didn’t care. They definitely backed up their client rather than digging into why a SAR had been received and ignored on spurious grounds without their involvement. Let’s be generous and assume that they didn’t know that Falk was bullshitting. Their client had taken a controversial and disputable decision in a SAR case, and he hadn’t consulted them before he did it, but they didn’t acknowledge that. They backed the unfounded refusal.

Even if Yo-Da one day launches a product that successfully facilitates automated data rights requests to every company in Europe (prediction: this will never happen), they definitely don’t have that product now, and their website claimed that they did. Either Trilateral didn’t know that this is the case, which means that they failed to do basic due diligence on their client, or they knew that the Yo-Da website was soliciting personal data on the basis of false claims.

When I pointed out to Falk that all of the sign-up data had been collected unlawfully (it’s not fair and transparent to gather data about a service that doesn’t exist), the conversation ended. The Yo-Da website instantly vanished, and their Twitter account was deactivated minutes later. I’m certain that Falk will be back, his little spat with me considered to be no more than a bump in the road to world domination. But forget him; what does this say about Trilateral? The best defence I can think of is that they took Falk’s money to be in-name-only DPO but didn’t scrutinise the company or their claims. This is bad. If they had any idea that Yo-Da doesn’t currently do what the website claimed, it’s worse.

According to the European Data Protection Board, the professional qualities that must be demonstrated by a Data Protection Officer include “integrity and high professional ethics”. I seriously question whether Trilateral have demonstrated integrity and high professional ethics in this case. It’s plainly unethical to be named as DPO for an organisation, and then ignore what comes into the DPO email address. Article 38(4) of the GDPR states “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation” but Trilateral weren’t even listening. It’s unethical to take on a client without knowing in detail how their services work (or even whether their services work), and that’s the only defence I can see in this case. It’s unethical to be DPO for an organisation that is making false or exaggerated claims to obtain personal data.

I regularly get asked by clients if I can recommend an outsourced DPO or a company who can do the kind of sustained consultancy work that a solo operator like me doesn’t have the capacity for. There are a few names I’m happy to give. I have no hesitation in saying that on the basis of this shoddy episode, I wouldn’t touch Trilateral Research with a bargepole.