Live and Let Dai

To say that anything connected with GDPR is the worst example of its kind is a foolhardy business. I’ve read so many terrible articles, LinkedIn posts and Tweets about GDPR, to single any one of them out and say ‘THIS ONE IS THE WORST’ seems pointless. Most of them are bad. However, after watching 33 minutes of waffle, padding and gleefully misinformed bullshit, I am reckless enough to say that the intellectual property lawyer Dai Davis’ talk here is the worst presentation or talk I have seen about the GDPR in any format.

Admittedly, the trainer in me hated it because of the incompetence – Davis has to keep going back to the podium to change slides because he hasn’t brought a remote, and he pads the talk out with protracted questions to the audience that don’t add anything to what he is saying. When someone intelligent-sounding in the audience takes him on by asking a proper question, he runs a mile.

More seriously, a good chunk of the talk is taken up with an attempt to create a formula for how much you should spend on data protection compliance based on the likelihood of being fined. It’s an eye-catching and controversial thing to throw out in a conference, but I don’t believe even Davis knows what point he’s making. Is he really saying that a every organisation should spend a meaningless, averaged-out €2000 to comply with GDPR, or is that just a flourish? Every organisation is different to another, and will have radically different priorities and appetites for risk, so trying to create a standardised methodology is so random and unhelpful, I don’t think it’s a serious point.  Given the number of basic mistakes and baseless assertions he makes in such a short time, however, the only thing I can add to his calculations is that however much you spend on GDPR, you should probably not spend it on advice from him.

I may not have got them all, but here is as full a collection of all the blunders as I could manage:

  • Davis cannot remember how many deputies the Commissioner has, but he knows that it’s between 11 and 13. There are 3 deputies (James Dipple-Johnstone, Paul Arnold and Steve Wood); there have never been more than 3.
  • Davis consistently gets the name of the ICO wrong – it’s almost always the ‘Information Commission Office’, although he varies it at least once with ‘Information Commission Data Protection Officer’ (he wasn’t talking about their DPO). To be charitable, it might be because he’s talking quickly, but the errors are relentless. He clearly thinks that Elizabeth Denham’s job title is ‘ICO’. because he calls her this repeatedly, and talks about what he would do if he was “the ICO“.
  • He asserts that the GDPR is not a ‘step change’ from the old legislation solely because it has lots of words, even though many of those words are very similar to words in the same order in the old version
  • He notes that there has not been a GDPR fine yet. Davis was speaking on May 30th, two days after the first 72 hours to *report* a relevant breach would have elapsed.
  • He asserts several times that in theory “every single breach” has to be reported to the ICO. This is completely false. There is a specific definition of a breach in the GDPR and incidents that do not meet a certain threshold of risk do not have to be reported.
  • He says that telecoms companies had to report breaches to the ICO since 2012. Communications providers have had this duty since 2011, not just telecoms companies.
  • Davis claims that public sector bodies self-report breaches to the ICO because they have no idea about how to take a commercial risk. There is the problem that public sector bodies are not commercial organisations by and large, so that argument makes no sense, but it’s also factually incorrect. To take one example, NHS bodies (the example shouted out by an audience member) have been obliged by the operation of the Information Governance Toolkit to report breaches to the ICO since at least 1st June 2013 (I think it was actually earlier than this, but that’s the one given in a Toolkit document that Davis could have found with a single Google search if facts were something he had any curiosity about).
  • Davis claims that the ICO is not really responsible for prosecutions for S55 offences, despite talking exclusively about prosecutions that the ICO carried out.
  • He includes the prosecutions in his calculations for the risk of being fined by the ICO, seemingly unaware that fines and prosecutions are two entirely distinct activities, with S55 prosecutions being against individuals rather than organisations. Throughout, Davis talks about the ICO enforcing on ‘people’, so I don’t know if he knows that the penalties were issued against data controllers.
  • He says that there were 18000 complaints in 2016 and the ICO has done nothing about nearly all of them. As someone who thinks the ICO is crap, even I have to acknowledge that most of these complaints were resolved informally and the absence of a fine does not mean that nothing happened. In quite a few cases, the complaint would not have been valid, and so no action would be appropriate.
  • He twice says that the maximum penalty for a breach under the DPA 1998 was £5,000,000; it was £500,000.
  • He quotes the head of the ICO’s ‘Breach Notification Division’, which does not exist.
  • He claims that the GDPR contains more loopholes that requires the ICO to hire criminal lawyers. The standard of evidence for a GDPR breach is balance of probabilities, and GDPR removes the requirement to prove damage or distress for a monetary penalty.
  • He says the ICO has 700 staff – they haven’t recruited these staff yet.
  • He tells a story of how he tells his hotel clients (who, if they exist, have my pity) that they cannot claim to be GDPR compliant because they use “mobile telephones” and allow their staff to send text messages. According to Davis, it is impossible to use mobile phones securely.

At the point where Davis says “smart lawyers like me“, my jaw did not drop, it fell off.

Leaving aside how garbled and smug Davis’ performance is, you might wish to charitable and take on his central thesis – that you probably won’t get a GDPR fine. He’s right. There have been relatively few penalties under Data Protection thus far and so the risk of getting one is relatively small. I cannot disagree with this banal point because I have made it myself any times. However, I can’t tell if his conclusion is simply that nobody should bother complying or whether there would have been a ‘however, you should comply because…’ moment, because there isn’t a conclusion. Presumably because he has run out of time, Davis just stops. So what, Dai? What’s your point? What should the audience do with this information? Should they just ignore GDPR?  There’s definitely a sense of this when he says that 10 years from now, the owner of a B&B will not know what GDPR is.

If Davis had the guts or the discipline to get to a conclusion that GDPR doesn’t matter, that would have been something. His contempt for detail would still be an impediment, but ‘Ignore GDPR’ is an assertion worth tackling. I could counter by arguing that the threat of a fine isn’t a good reason to comply, but respecting human dignity and avoiding harm to real people though inaccuracy, intrusion and insecurity is, but Davis never stops circling the airport, so I don’t even know if that’s what he’s saying.

If his contention that organisations don’t have the ability to measure risk effectively and need to get GDPR in perspective, that’s actually a good point, but he makes it so incompetently that again I’m not motivated to take him on. I have grudging sympathy for the idea that reputational damage is an overhyped risk (again, it’s not a point he makes clearly), but I know that many in the Data Protection world would passionately disagree, and I suspect that they could use Facebook’s current woes as evidence that public perception over data misuse isn’t something that boardrooms can ignore.

In the end, I think Davis is a clever man pontificating about a subject he neither cares for or understands, but the danger is that people will watch the talk and be contaminated by it. You could argue that I am making it worse by drawing attention to it solely so I can take the piss. All I can say is, the talk is out there. People will see it. As this is the case, if you find his argument (such as it is) attractive, it’s worth pointing out how sloppy and ill-informed his thinking is. It’s worth asking if this is the ‘Ignore GDPR’ guy, why would you listen to him?

EVERYTHING’S FINE

Due to the activities of a particularly noisy blackbird, I woke at 5.15am, and so headed to the ICO’s website to see if they had published their long-awaited report into politics and data analytics. The press release was there, and the report itself was tweeted out a little while ago. Given all the noise and hype (and an enormous amount of misinformation), I have a few observations about the interim report. Given that I predicted that the ICO would do nothing, I should be delighted that Wilmslow has finally decided to respond to all of my goading by taking action, but it’s not quite that simple.

  1. Despite the headlines and strong statements from whistleblower Chris Wylie, Facebook have not been fined £500,000. They might be, but what ICO has done is issued a notice of intent, which means that Facebook has the opportunity to make representations before the fine is issued – if it is. It’s entirely possible that Facebook will pay up and move on, but equally, it’s possible that they’ll make representations that kill off the fine altogether. Finally issuing a maximum penalty after the DPA 1998 is technically dead is a very ICO move, but it hasn’t happened yet. If they pull it off, I will be thrilled to have called this one the wrong way.
  2. The much-vaunted ‘criminal prosecution’ of SCL Elections has an element of a government announcing previous spending commitments as new money. As far as I can see, the prosecution (which hasn’t happened yet) is against SCL for their alleged failure to comply with an enforcement notice served because of their alleged failure to comply with a Subject Access request made by the US academic, David Carroll. I have already made myself deeply unpopular by suggesting that a regulator with a relatively hesitant approach to enforcement should not be prioritising the DP rights of non-EU citizens. If Americans want DP rights, they should pass laws like California is doing, rather than using UK taxpayers’ money to refight the Trump election. Nevertheless, the really interesting thing is that the notice was served after SCL went into administration, which means that either ICO intends to prosecute the directors under Section 61 of the DPA (which would be a bold move indeed, given that the directors presumably are no longer in control of the company) or they’re going after the administrators, which is bullshit.
  3. There is an enforcement notice against the Canadian company AIQ – this is quite something, as it is the first time that the ICO has used its GDPR powers to place a limitation on processing (i.e. the processing of data about UK and EU votes obtained unfairly by AIQ). I have no idea how ICO intends to prosecute AIQ if they fail to comply with the notice, what with them being in Canada. It’s entirely possible that AIQ will go along with it for a quiet life. I think the notice is unenforceable if they decide to flip Mrs Denham the bird.
  4. Despite the war between Carole Cadwalladr and Aaron Arron Banks (reminder to wash my hands after typing that name) that has provided the background noise for the ICO’s investigation, it’s interesting that the ICO is not currently taking action against Leave.EU. Indeed, there’s nothing new on Cambridge Analytica either. However, the ICO confirms that they are still looking at Leave.EU, but also at Vote Leave and the Remain campaign. As someone who thinks that leaving the EU is a slow act of national Seppuku, it’s fascinating to learn that ICO seems to think the analytics issue might be more of an ‘everyone’s at it’ than ‘democracy stolen by Leave’.
  5. The most intriguing part of the report is the one getting the least headlines. As well as possibly issuing a penalty on Facebook, they’re also going after Emma’s Diary, a data broker that preys on pregnant women. Despite all of my misgivings about whether this long-running saga is a good idea when carried out at the same time as the implementation of GDPR, if the investigation finally forces the ICO to tackle the ugly underbelly of the UK’s trade in personal data, it will be a wholly good thing. ICO has avoided tackling data brokers and credit reference agencies for decades, and if they finally get dragged into the spotlight, that can only be a good thing.

SOME PREDICTIONS

  • The Directors of SCL Elections will not be prosecuted successfully.
  • Facebook will not pay a fine of £500,000 (there may be a fine).
  • AIQ will grumble and make a show of complying, even though they know the notice is unenforceable.
  • The ICO will not take enforcement action against any major political party as a result of the investigation. There will be UNDERTAKINGS.

I will be delighted to be proved wrong on any of the above.

THE REQUEST

MY REQUEST

Email sent 25/05/18, 17.29

Hello

I would like to request all personal data associated with myself held by your company, in accordance with my rights under the GDPR.

The following information should allow you to identify me:
I live at [HOME ADDRESS]. My business name is 2040 Training, and my business address is Courthill House, 60 Water Lane, Wilmslow, Cheshire SK9 5AJ, UK, Company No: 6682698

You may hold data associated with me via the following email addresses and phone numbers: [PERSONAL EMAIL WITH MY NAME IN IT], [SECOND PERSONAL EMAIL WITH MY NAME IN IT], tim@2040training.co.uk, [EMAIL WITH MY NAME AND COMPANY NAME IN IT], [LANDLINE], 07508341090 or [PERSONAL MOBILE] or the Twitter handle @tim2040

My request includes any personal data held about me, including any assumptions, characterisations, classifications or inferred data recorded about or associated with me, as well as any factual, contact or other personal data and correspondence concerning me either internally or externally.

This should also include a clear indication of the source for all information held about me, and the names of any data controllers to whom my personal data has been passed. If you require any further information, please do not hesitate to contact me. Please note that all personal data including in this request has been supplied solely for the purpose of identifying data already held by your organisation, and none of it should be retained or added to records you hold for any other purpose.

Regards

Tim Turner

THEIR REPLY

Email sent 25/05/2018, 21.27

Hello,

Thanks for reaching out to us. I am glad to see that some are not wasting any time in exercising their rights!

Here are the definite answers I can provide at this stage:
* I have not found the email address tim@2040training.co.uk in our systems.
* I am not sure under what basis you are making your request for business information we might hold concerning the “2040 Training” business. The GDPR would not be applicable to that situation. If there is something I am missing, please let me know.

Otherwise, a constant concern with Subject Access Request is to confirm the identity of the person making the request. For this reason, before responding to any request concerning the other identifiers, I first need to confirm that the owner of those accounts actually did wish to formulate such a request. Therefore…
* for each of the other email addresses, please resend a direct request from that email address, so we can confirm they are yours.
* for each of the phone numbers, please send a copy of a recent phone bill in your name to confirm that you hold this phone number.
* for the Twitter account @tim2040, please contact us directly at @PersonalDataIO, and we can take it from there.

Finally, for the request concerning your home address, I will need some type of proof to confirm you live at that address. A utility bill in your name would do.

Sincerely,

Paul-Olivier Dehaye
PersonalData.io

 

MY REPLY TO THAT

Hi
Thanks very much for this.
You’ve given me everything I need here.
Best wishes
Tim
HIS REPLY TO ME

 

Great. Happy to help. Thanks for making our service better.

Paul

 

 

MY REPLY TO THAT NONSENSE

There’s a very long way to go on that.

T

 

HIS DESPERATE NEED FOR THE LAST WORD

Baby steps!

Paul

 

MY RIGHT TO BE FORGOTTEN REQUEST

Hi
Under Article 17 of the General Data Protection Regulation, I would like to request that you erase any personal data held by your company or any of its employees or volunteers in relation to myself. Specifically, I request that you erase any reference to any of the emails or phone numbers provided in my email to you from this address on 25th May 2018, including the email itself.
If you held any of the information before 25th of May, I expect you to erase it.
If you refuse to erase any personal data connected to any of the identifiers specified in my request of 25th May 2018 without proofs of ID, please let me know.
Best wishes
Tim Turner

A brief word from our sponsors

I haven’t blogged in a while because of a heavy workload, inspired by the oncoming train / Sword of Damocles / impending apocalypse that May 25th represents. In the meantime, permit me to do a bit of advertising.

Believe it or not, GDPR is for life, not just the 25th May 2018.

So if you intend to run a business, charity, public authority or other organisation, and what to know about GDPR Rights like the Right to be Forgotten, Subject Access or Portability, if you want to know what PECR means for marketing or fundraising, or if you just want to know how GDPR works, I am running courses in May that can help you. I’ve been a DP Officer, I have 17 years of data protection experience, and I use my DP rights to track down and control my data, so I can show you what’s good and bad across the DP world.

The courses are GDPR Rights in London and Manchester, GDPR and Marketing in London, and GDPR SOS for the second time in London – all at the end of May, all £250 + VAT. I’m not doing any courses on the 25th May itself as I will be using my Data Protection rights for wholly mischievous purposes against people who deserve it. Expect to read blogs about that in the future.

Find out more about the courses here: http://2040training.co.uk/gdprcourses/

Book here: http://2040training.co.uk/booking-form/

SARpocalypse Now

As expected, the Information Commissioner has announced that her office will be running a campaign promoting GDPR rights to members of the public. As anyone could have predicted, some of the excitable GDPR community on LinkedIn are now working themselves up into a lather about the ensuing SARmageddon that will ensue from this development. Previously, the same people were complaining that the ICO hadn’t launched a massive campaign, as if it was the regulator’s duty to whip up the public mood to help them sell their software.

The idea of GDPR prompting an avalanche of Subject Access requests isn’t new – Certified GDPR Practitioners and other salesmen have been confidently predicting it for a while, building the fantasy on rather shaky foundations. One false notion is that GDPR abolishes the fee for SARs and other data protection rights. It does, but many organisations do not charge the fee now so it’s unlikely it will make a difference to the number of requests they receive. Someone I trained this week gets 4000 a year, so the idea that receiving lots of requests will be new to many organisations is either ill-informed nonsense or a sales pitch. It’s only people who have no experience of Data Protection who think that a high volume of requests is novel.

Another claim is the PPI-style onslaught of compensation claims that the SARnami will supposedly serve. The problem with this is the flawed comparison between PPI and Data Protection. I’ve said this dozens of times, and I’ll say it again: PPI was widely and aggressively mis-sold. Most PPI claims were valid, and if the banks / financial institutions fought the claims, they would usually have lost. The process for a DP claim is first, establish that there has been a breach of GDPR / DP; second, establish evidence of some adverse effect; third, sue and hope to persuade a judge that the adverse effect is worth compensation. That’s a tall order.

Of course, many businesses may choose not to contest these claims, and that may fuel SARs and other rights requests. In my opinion, if a business gets bogus DP claims and settles them because it’s easier or cheaper, they’re contributing to an unhealthy culture and making it harder to implement DP sensibly for everyone. It’s instructive to see what happens when claimants actually get into court and what a balls-up they make of it: this should happen more often. If data controllers take a robust approach with cack requests and dare the Commissioner to do something about it, it’s not hard to imagine what would happen (and if you think it’s FINEmageddon, you’re reading the wrong blog, friend).

The worst example of this scaremongering is the SAR as DDoS attack. I remember this bollocks from the days when I worked at the Information Commissioner’s Office and the rumour spread that FOI would be used as a tool to disable public authorities. Admittedly, Walberswick Parish Council was temporarily knocked over by a persistent FOI campaign, but what happens in Parish Councils is not a reliable guide to anywhere except Parish Councils. Now, a variety of IT and risk management companies have returned to the theme. Only this weekend, Matt Hodges-Long was predicting SAR DDoS attacks as soon as May comes. In a coincidence that no screenwriter would accept as plausible, Mr Hodges-Long happens to be CEO of a company that sells risk management software that might help businesses cope with such attacks.

I know, right?

Think for a moment about how a SAR DDoS would work. In Mr Hodges-Long’s scenario, imagine thousands of data subjects deciding to submit a ‘single’ request to a company on the same day. How would this work? Firstly, someone would need to organise it. They would have to find thousands of people with the same grievance against the same organisation. Making a SAR isn’t the same as signing a 38 Degrees petition – you have to contact the data controller directly and ask for your information, so it’s a lot more than just filling in a form. The organiser would either have to coordinate the activity themselves, which would require obtaining proof of consent and proof of ID from every applicant (otherwise they would likely be breaching GDPR themselves), and then send the 1000s of requests, or they would have to issue clear instructions to all of the 1000s of people to ensure that they all did it at the same time.

GDPR requires the data controller to check ID when dealing with a request, so if suddenly 1000s of requests arrive en masse, if the data controller just BCCs them all asking for proof of ID, every single request is automatically invalid. GDPR also allows the data controller either to charge or refuse a request if it is manifestly unfounded or excessive. Imagine the amount of time and organisation it would require to either make all requests on behalf of 1000s of people, or coordinate the making of these requests at the same time on the same day. Imagine doing so in secret, leaving no trace for the data controller to find online. If a request has only been made for the purpose of attacking the organisation, and the controller can show evidence for this, what possible foundation could the request have?

I believe that if a campaigning organisation decided to use SARs as a method of DDoS, the data controller could refuse them all as excessive or unfounded (or both) and dare the Information Commissioner to do anything about it. Bear in mind that this is the same Commissioner who found systematic failure to answer subject access requests in the Ministry of Justice, and gave them almost a year to clear them up. They also sneaked the notice out just before Christmas without a press release, in one of the more shameful episodes of this generally unedifying period for Data Protection. If you think this same regulator is going to take the side of anyone using GDPR rights as way to attack data controllers for the sake of it, you are either an idiot or you’re selling something.

GDPR will change things. There will be more requests of the type we already get, and requests that we don’t currently get. For the mischievous, there is ample scope to use GDPR to take pot-shots at organisations. I’m going to do it myself. But the idea that we’re teetering on the brink of a World War SAR is hype to sell software. Anyone who tries it deserves to get called out and right-thinking people should shun their products in favour of a sensible, measured approach of deleting irrelevant data, improving retention policies, and developing / embedding / sustaining slick and robust rights procedures. Knowing where your data is, who will look for it when asked to and how they will look will pay off much more than a tool that you probably don’t need.