SARpocalypse Now

As expected, the Information Commissioner has announced that her office will be running a campaign promoting GDPR rights to members of the public. As anyone could have predicted, some of the excitable GDPR community on LinkedIn are now working themselves up into a lather about the ensuing SARmageddon that will ensue from this development. Previously, the same people were complaining that the ICO hadn’t launched a massive campaign, as if it was the regulator’s duty to whip up the public mood to help them sell their software.

The idea of GDPR prompting an avalanche of Subject Access requests isn’t new – Certified GDPR Practitioners and other salesmen have been confidently predicting it for a while, building the fantasy on rather shaky foundations. One false notion is that GDPR abolishes the fee for SARs and other data protection rights. It does, but many organisations do not charge the fee now so it’s unlikely it will make a difference to the number of requests they receive. Someone I trained this week gets 4000 a year, so the idea that receiving lots of requests will be new to many organisations is either ill-informed nonsense or a sales pitch. It’s only people who have no experience of Data Protection who think that a high volume of requests is novel.

Another claim is the PPI-style onslaught of compensation claims that the SARnami will supposedly serve. The problem with this is the flawed comparison between PPI and Data Protection. I’ve said this dozens of times, and I’ll say it again: PPI was widely and aggressively mis-sold. Most PPI claims were valid, and if the banks / financial institutions fought the claims, they would usually have lost. The process for a DP claim is first, establish that there has been a breach of GDPR / DP; second, establish evidence of some adverse effect; third, sue and hope to persuade a judge that the adverse effect is worth compensation. That’s a tall order.

Of course, many businesses may choose not to contest these claims, and that may fuel SARs and other rights requests. In my opinion, if a business gets bogus DP claims and settles them because it’s easier or cheaper, they’re contributing to an unhealthy culture and making it harder to implement DP sensibly for everyone. It’s instructive to see what happens when claimants actually get into court and what a balls-up they make of it: this should happen more often. If data controllers take a robust approach with cack requests and dare the Commissioner to do something about it, it’s not hard to imagine what would happen (and if you think it’s FINEmageddon, you’re reading the wrong blog, friend).

The worst example of this scaremongering is the SAR as DDoS attack. I remember this bollocks from the days when I worked at the Information Commissioner’s Office and the rumour spread that FOI would be used as a tool to disable public authorities. Admittedly, Walberswick Parish Council was temporarily knocked over by a persistent FOI campaign, but what happens in Parish Councils is not a reliable guide to anywhere except Parish Councils. Now, a variety of IT and risk management companies have returned to the theme. Only this weekend, Matt Hodges-Long was predicting SAR DDoS attacks as soon as May comes. In a coincidence that no screenwriter would accept as plausible, Mr Hodges-Long happens to be CEO of a company that sells risk management software that might help businesses cope with such attacks.

I know, right?

Think for a moment about how a SAR DDoS would work. In Mr Hodges-Long’s scenario, imagine thousands of data subjects deciding to submit a ‘single’ request to a company on the same day. How would this work? Firstly, someone would need to organise it. They would have to find thousands of people with the same grievance against the same organisation. Making a SAR isn’t the same as signing a 38 Degrees petition – you have to contact the data controller directly and ask for your information, so it’s a lot more than just filling in a form. The organiser would either have to coordinate the activity themselves, which would require obtaining proof of consent and proof of ID from every applicant (otherwise they would likely be breaching GDPR themselves), and then send the 1000s of requests, or they would have to issue clear instructions to all of the 1000s of people to ensure that they all did it at the same time.

GDPR requires the data controller to check ID when dealing with a request, so if suddenly 1000s of requests arrive en masse, if the data controller just BCCs them all asking for proof of ID, every single request is automatically invalid. GDPR also allows the data controller either to charge or refuse a request if it is manifestly unfounded or excessive. Imagine the amount of time and organisation it would require to either make all requests on behalf of 1000s of people, or coordinate the making of these requests at the same time on the same day. Imagine doing so in secret, leaving no trace for the data controller to find online. If a request has only been made for the purpose of attacking the organisation, and the controller can show evidence for this, what possible foundation could the request have?

I believe that if a campaigning organisation decided to use SARs as a method of DDoS, the data controller could refuse them all as excessive or unfounded (or both) and dare the Information Commissioner to do anything about it. Bear in mind that this is the same Commissioner who found systematic failure to answer subject access requests in the Ministry of Justice, and gave them almost a year to clear them up. They also sneaked the notice out just before Christmas without a press release, in one of the more shameful episodes of this generally unedifying period for Data Protection. If you think this same regulator is going to take the side of anyone using GDPR rights as way to attack data controllers for the sake of it, you are either an idiot or you’re selling something.

GDPR will change things. There will be more requests of the type we already get, and requests that we don’t currently get. For the mischievous, there is ample scope to use GDPR to take pot-shots at organisations. I’m going to do it myself. But the idea that we’re teetering on the brink of a World War SAR is hype to sell software. Anyone who tries it deserves to get called out and right-thinking people should shun their products in favour of a sensible, measured approach of deleting irrelevant data, improving retention policies, and developing / embedding / sustaining slick and robust rights procedures. Knowing where your data is, who will look for it when asked to and how they will look will pay off much more than a tool that you probably don’t need.


Checks and balances

A while ago, I was asked by a prospective client to provide a criminal records check before getting a big piece of work. Given that I wouldn’t be handling any personal data or getting access to children or other vulnerable people, it seemed like overkill. The awkward part of me wanted to suggest that the requirement was close to being an enforced subject access request, which would be a criminal breach of Data Protection law. Enforced subject access requests occur where a person is obliged to provide a data controller with the result of a subject access request for criminal records in return for employment or a service.

Then I looked at the number of days’ work they were offering and the pragmatic part of me kicked in. I don’t have a criminal record, so I applied for and sent them a disclosure certificate saying so. It occurred to me that if I tried to make an issue of principle out of it, it might look like I had something to hide. I imagine it’s a terrible situation to be in if you have got a record and are trying to move on, but to be selfish, I don’t and it seemed odd to create the impression that I might have. And I wanted the work.

Last week, a prosecution by the Information Commissioner against the insurance company Hiscox for the enforced subject access offence collapsed. A customer, Irfan Hussain, was attempting to claim on a £30,000 watch he had lost, and Hiscox wanted to see his criminal record before paying out. He refused, and complained to the ICO. The case collapsed when the unlucky horologist was too unwell to give evidence.

I can’t help thinking that this was an odd choice for a prosecution. Even if Hiscox tried to force their customer to provide his information, was this unreasonable? He had already stated that he had no criminal record (according to the FT), so all Hiscox were apparently asking him to do was prove that what he had said was true in the light of his claim. The means by which they proposed to do it might technically have been an enforced subject access request, but there’s surely a difference between something technically being an offence and it being worth mounting a prosecution on it. The provisions contain a public interest defence, and Hiscox’s public comments after the trial suggest that this was their strategy. I suspect it might have worked. Especially as this seems to be the ICO’s first attempt at an enforced subject access case, was this really the best place to start?

The business of criminal records checks overall works in mysterious ways. Hiscox are reported to have asked Mr Hussain to make a subject access request to the Criminal Records Office, which is run by the National Police Chief’s Council. This is not the same as applying to the Disclosure and Barring Service or Disclosure Scotland for a certificate or a disclosure, but having been through the process, I have to admit that I am somewhat confused at the difference.

To get my disclosure, I made a written application, proved my identity and then paid a fee to receive a copy of personal data that related to me, or confirmation that no such information was held. The basic check comes through faster than a subject access request (about 2 weeks, although mine came in matter of a few days) but it’s also more expensive (£25). In my case, nothing was held but that’s neither here or there. There is statutory provision for access to this information via the Criminal Records Bureau set out in the Police Act 1997, replaced by the Disclosure and Barring Service in 2006 via the Safeguarding Vulnerable Groups Act 2006. Someone is going to tell me that applying for a certificate is different to applying for subject access, but that raises some questions. If Hiscox had told Mr Hussain to apply for a certificate like I did, it’s exactly the same outcome – a person is obliged by a data controller to obtain information about their criminal history and then cough it up – but if it’s not subject access, no prosecution could be possible.

An individual can obtain a basic check that shows their unspent convictions and cautions, both of which are listed as a relevant record in the DPA section that creates enforced subject access. The ICO’s guidance doesn’t explain the position if a person was forced to ask for a basic check. That check might not give everything that a data controller might want, but it’s full information about a person’s recent criminal history. If obliging someone to ask for a basic check isn’t enforced subject access, it’s a loophole. But if a basic check is essentially a subject access request by another name, it shouldn’t be £25 now, and it should be free after May 25th.

It’s clear that the DBS doesn’t think that forcing an individual to ask for a basic check would be enforced subject access or illegal in some other way because their website says this:

You can’t carry out a basic check as an organisation – you must ask the person to request their own basic DBS check. A basic check shows unspent convictions and cautions.

This implies that asking a person to carry out a basic check when you can’t make an application yourself is acceptable, even though these are very likely to be circumstances where a person can’t meaningfully refuse. There are no warnings about compulsion during the application process via the DBS website. So why is a subject access request to ACRO magic, acceptable only when uncontaminated by duress, but a basic check isn’t? The amount of data disclosed isn’t exactly the same, but the outcome – being forced to disclose your criminal history when it might be unnecessary or excessive to do so – might be identical.

It took a long time (from 1998 to 2015) for enforced subject access to be fully enacted. Now it’s in force, the Hiscox case doesn’t give cause for optimism that anything will change. I have doubts about whether it was a good idea to prosecute Hiscox, but I have heard first hand terrible stories over the years about data being demanded when it should not have been. Having used the system, the way in which criminal records are made available gives me little confidence that such unnecessary and unfair demands for personal data are properly prevented. After the failure of the Hiscox case, even if only because of an ill-timed illness, the ICO needs to go in again and draw a line somewhere.

Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed


the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.

Stinking Badges

The list of things that annoy me about the explosion of hype and bullshit around GDPR is long and boring (NOTE TO SELF: this list should be a blog post of its own). I cannot say that top of the list are those badges that folk give their products, boasting about being “GDPR Ready”, or “GDPR Compliant” when nobody actually knows what being ready or compliant looks like, but they’re top five.

Screen Shot 2018-01-16 at 21.45.42.png

I was complaining about this on Twitter, and lovely people who enjoy seeing me annoyed started to send me examples of these badges from across the internet. It is via this route that I came to Emailmovers, a data broker who make luxurious claims about their data and its relationship to the GDPR.

Not only do Emailmovers have a badge, they claim to have been working closely with both the Direct Marketing Association and the Information Commissioner’s Office on GDPR issues. Indeed, until someone kicked up a fuss about it, Emailmovers had the Information Commissioner’s logo on their website. The logo has gone now, but if you work out where it was and click, there is an invisible link to the ICO’s website where it used to be.

Emailmovers certainly put up a strong case about the nature of the data they’re selling:

1) We are clear with individuals why we need their data at the point of collection
2) We always use clear and concise language appropriate for our target audience
3) We give individuals control over their data. They are always able to decide whether to share their personal data with us or not
4) Under the GDPR principle accountability, Emailmovers is able to demonstrate that we are compliant. We always record the legal grounds for processing an individual’s personal data

I can’t say that any of this is untrue, although I am sceptical. Generally, I think that the data broking industry is irredeemable, incapable of operating lawfully either now or in the future. The data broker acquires data, accumulates and appends it, and then sells it to clients. This is the opposite of fair. However, and wherever the data was obtained from, whatever transparency or fair processing was given to the subject, it would be vague. It could not say which specific organisations would receive the data, and often, it could not even say which sectors. The data broker does not know – they sell to whoever is buying. This kills consent – which was supposed to be informed and specific since 1995 – and it kills legitimate interest. How can you assess the effect on the subject if you don’t know when obtaining the data what you’re going to do with it? If a data broker obtained individual email data under legitimate interest, they couldn’t sell it on for marketing purposes, because the client will not have consent to send the marketing in question by email.

None of this will stop the data broking industry from carrying on – when some of the biggest brokers are ICO stakeholders whose activities have gone unchecked for decades, it’s hard to imagine that the GDPR will make much of a difference.

Nevertheless, there was one thing about all this that I was able to check. I made an FOI request to the ICO asking about contact that Emailmovers had had with the Commissioner’s Office, particularly with the policy and liaison teams. If Emailmovers really had been working closely with the ICO, there would be evidence of this, right? The ICO’s response was revealing:

There was no direct contact between Emailmovers and our Strategic Liaison/ policy department concerning advice about GDPR.”

Emailmovers had made a couple of enquiries – ICO was too cautious to tell me what they asked, but they supplied the replies which offer no more than a simple (but accurate) explanation that business to business communications are covered by the GDPR, a brief observation that the ePrivacy Regulation is coming but we cannot be sure what it will say, and separately, a straightforward note that even corporate subscribers need fair processing. This is not working closely with the ICO – they asked a couple of questions and got short polite answers. There are no meetings, no detailed correspondence, nothing at all to suggest anything approaching the relationship they boast about here:

Screen Shot 2018-01-16 at 21.47.35

I can honestly say that I am in regular contact with the ICO about a variety of matters. It sounds good, but it’s true only because I nearly gave evidence in one of their prosecutions (they didn’t need me in the end), I make a lot of FOI requests to them, and I tweet at them almost daily.

I don’t accept that making a couple of enquiries equates to working closely with someone. The fact that Emailmovers make this claim on their website, and displayed the ICO logo prominently until recently makes me very uneasy about the other things they say. The GDPR sector is full of bullshit and exaggeration, fake certifications, hokey badges and bluster. As we near the supposed cliff edge of May 25th, we should all take the time to check every claim with great scepticism, and to treat the badge-toting hordes with the same caution that Humphrey Bogart treated a certain bogus Federale:


A month or so back, I saw a tweet inviting me to download a worksheet from a company called Intillery, who were selling some sort of consent management tool. I didn’t want the worksheet, but when someone is selling GDPR consultancy, it’s always interesting to see what the state of their own compliance is. I visited their website, and gave them a Gmail address to receive my copy of their worksheet. There was a separate privacy policy which referred to providing me with “information, products or services that you request from us or which we feel may legitimately interest you, where you have consented to be contacted for such purposes“. There was no reference to further information being sent, or consent for any marketing.

Needless to say, I have received several marketing emails from Intillery since downloading the worksheet. You might argue that I should expect to receive marketing in return for the worksheet, but these are allegedly GDPR consultants, and their own privacy policy talks about sending further information only with consent. You might equally argue that although they’ve screwed up the fair processing element, under PECR they don’t need my consent because the marketing was business to business. But that’s irrelevant, because I used a Gmail address for which I am an individual subscriber. Even if I did so deliberately, you’d expect people offering Data Protection services to be wise to this. You might, at a pinch, argue for the soft opt-in, but I am downloading a worksheet that is supposed to help me comply, not making an enquiry about Intillery’s services, and in any case, there is no opt-out on the page. The soft opt-in cannot apply. I checked to see whether Intillery has notified the Information Commissioner for the purposes of consultancy, but needless to say they haven’t.

One interesting thing on Intillery’s privacy policy was that they have a named Data Protection Officer, the self-styled “GDPR Guy” Carl Gottlieb, who is presumably carrying out the role as a DPO contractor, given that he is also still running his information security business. He did a notification for that in October, which is coincidentally when Jon Baines kicked off about the number of GDPR people who weren’t notified. I’ll give him the benefit of the doubt over the non-notification of his scrap metal business as it might be exempt. I can’t tell you what advice Mr Gottlieb has given to Intillery in his role as their DPO, but they’re touting themselves as capable of advising others on Data Protection, and they’re not even compliant themselves. You need the right person, whoever you are.

I could have written this blog about Axon, a company who have been regularly emailing me in breach of PECR since I downloaded their GDPR document, or a dozen others. The Data Protection People cold-called me, and were surprised when I mentioned the Corporate Telephone Preference Service to them. All of these folk purport to be capable of helping others in their Data Protection efforts but either they don’t know how to comply themselves, or it isn’t sufficiently important to them to bother. On Friday, I spent a very enjoyable day training a group of school headteachers and business managers. They took in a lot of information about the GDPR and Data Protection implications for their schools with good humour and a constructive attitude, but the Data Protection Officer requirement was a stumbling block. Very few schools need a full-time DPO. A small, well-run primary school will need a relatively small amount of DPO time to keep them on an even keel, but unless the Data Protection Bill / Act delivers them a miracle, they will be legally obliged to have a named DPO. It’s daft but it’s true.

I find it hard to picture how a school will find someone half-decent to support them in the sea of endlessly swirling bullshit that has engulfed the Data Protection world over the past couple of years. I have never been as busy as I am currently, and I have never had so much fun doing my job. But when I look up from the work I am actually doing to see what state the DP sector is in, I am ashamed to be associated with Data Protection. Everywhere you look, there is scaremongering hype, ridiculous claims about fines, about a SAR tsunami, claims about businesses closing and the ICO stalking the land like Godzilla. As many GDPR folk never tire of complaining, I do spend some of my time calling it out. I correct false claims. I draw attention to crap articles. I argue with LinkedIn bullshitters, who block me because they’re cowards.

But just as when I wandered into the charity sector with an (overly) critical eye, the same legitimate criticism has been levelled at me again. Why don’t you do something constructive? What some of these people mean (and what some of them have said to me privately) is “there’s plenty of money to be made here, why don’t you just let us take our piece?”. The problem with this is that I don’t care how much money anyone makes. I could charge more than I do. I could go for more lucrative work. I could do more work. My criticisms of the bullshitters is not motivated by money. If all I cared about was cash, I wouldn’t just have given up a substantial guaranteed income to work solely for myself in 2018. But some of the people who ask that question are sincerely motivated, and they mean the same thing that my charity critics meant – why don’t you *do* something.

In March, I published a guide for fundraisers on Data Protection. I will be updating that guide in the next month to cover GDPR and the DP Bill. In the meantime, I have written another guide, this time for those organisations seeking an external, contract-based Data Protection Officer. It is designed to help the small, non-expert organisation to choose the right DPO consultant. You can find it at this link, in the downloads section of my website.

I have several other guides planned for 2018 – if you have suggestions for things I might write given what I have done so far, you’re always welcome to let me know. I probably can’t do them all, but the folk who ask me the ‘constructive’ question in good faith make a good point, and I’d like to do my small part to clear the fog, and make a positive contribution. And for all those people who think I’m a dick for doing and saying things like this, don’t read the guide. You really won’t like it.