Role playing

A few weeks ago, the Data Protection world was shaken by a decision from the Belgian DP Authority to fine an organisation €50,000 after they appointed their Head of the Compliance, Risk Management and Audit department as their Data Protection Officer. I’ve commented before about my frustration that too many organisations are unable to comprehend the independence and relative freedom of the DPO role as anything other than a senior-level job – in such places, the role is a DPOINO, a Data Protection Officer In Name Only, with a younger, more junior but much more expert person actually carrying out the role. The DPOINO in these organisations is usually a middle-aged white man, and the real DPO is a younger woman. I imagine you are shocked to read this.

The Belgian decision is not ridiculous – it is difficult for someone in a senior position to escape decisions about hiring and firing (for example) or system design, activities that risk dragging the incumbent into determining the purposes. If the DPO was less senior, even in the same department, the risk of conflicts of interests would be lower. There are better, more imaginative models, but I think seniority is always fatal. Needless to say, some commentators have drawn more other conclusions.

Writing for Scottish Housing News, Daradjeet Jagpal questioned whether it was time for his audience (Registered Social Landlords in Scotland) to review their DPO appointments. Despite this being a single case in a foreign jurisdiction with tenuous direct application to a non-EU country like the UK, Jagpal fell back on the consistency mechanism, and warned his readers that the ICO might adopt the same approach, skipping over the fact that Wilmslow’s approach to the GDPR has been to go to sleep. A quick survey of the possible candidates – mainly heads of various RSL departments – do not make the grade for Jagpal, and rather patronisingly, he dismisses the idea that a Corporate Services Officer would be “comfortable or sufficiently confident to challenge the CEO on non-compliance“. Take that, many DPOs who I know and love.

Jagpal comes to the conclusion that “The obvious solution is for RSLs to appoint an external DPO” which is remarkable, given that Jagpal is described in the article as “a leading provider of outsourced DPO services to RSLs across Scotland“. I’m not suggesting that he’s is over-egging the Belgian decision for nakedly commercial purposes, but he does place weirdly heavy emphasis on EU standards and pressures which are clearly either dead or dying for Brexit Britain, and he barely entertains the idea that Scottish RSLs might just appoint a DPO in-house.

To be fair, the Belgian decision is a real thing that happened, and while I disagree with Jagpal’s assessment of its implications, he’s accurately described the situation. The same cannot be said of everyone in the outsourced DPO sector. In a webinar hosted by everyone’s favourite LinkedIn spammers, Data Protection World Forum, the CEO of The DPO Centre, Rob Masson decided to get creative. Masson spoke of the “quite strict guidelines” (AKA legal requirements) about who can be a DPO and the importance of avoiding conflicts of interest. He went on to say “we’ve got to remember that the role of the Data Protection Officer is to represent the needs of the Data Subjects. It’s not necessarily to represent the needs of the organisation.”

None of the specified DPO tasks refer to data subjects. They require a DPO to advise the organisation on data protection matters, monitor its compliance with the GDPR and other laws, advise on and monitor the effectiveness of data protection impact assessments, and liaise with the Information Commissioner’s Office. If you wanted to be exceptionally generous to Masson, you could interpret the whole of the GDPR as reflecting the needs of data subjects to have their personal data properly regulated, and from there spin the DPO’s role as a facilitator of that. But that’s also nonsense. It’s as much in the interests of an organisation that the personal data they use is accurate and secure as it is for data subjects. The GDPR sometimes allows controllers to retain data despite a subject’s objection, to keep processing secret from them when it might prejudice certain purposes, and to balance their own wish to use data against the impact on the subject, deciding to use it without consent when they think they’ve assessed the situation properly.

If we’re talking about the needs of the organisation, I’d argue that most of the GDPR’s requirements reflect the needs of the controller. Some organisations are too lazy or stupid to see it, or they’re getting advice from the wrong people. It might seem like disposing of personal data that you genuinely don’t need any more is an unwelcome imposition, but it’s very much the healthy option. To use Masson’s own word, GDPR is the spinach that the organisation *needs*, even if it might prefer the Big Mac and Fries of not thinking about it.

A77 gives the subject the “right” to lodge a complaint with the relevant supervisory authority. A39(1)(a) says that the DPO “shall” inform and advise the organisation of their obligations. Contrast these provisions with the words in A38(4), the only element of the DPO articles that refers to subjects: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” This obviously means that the DPO ought to be accessible to data subjects (one of my objections to senior DPOs is that they won’t go for this), but it also shows Masson’s version to be fantasy. There is no right to reply, no hint that the DPO is the subject’s advocate or representative. They’re at best a conduit for concerned subjects.

Obviously, the DPO isn’t just the loyal servant of the organisation, and they have to reconcile being an employee and an independent advisor. I disagree with Jagpal’s dismissal of junior officers as being capable of standing up to CEOs because I know so many who do it regularly. But he’s reflecting a real problem that many DPOs face. If the senior people don’t want to take the DPO’s advice, they are in an invidious position. Until the ICO shows that it is willing to back DPOs in these kinds of situations, it’s going to remain a precarious and stressful job for those facing unsympathetic management. Masson’s characterisation can only make this worse, feeding a perception that the DPO is not even there to help the business, but to pursue the interests of data subjects. Subjects come in all shapes and sizes, but some of them are hostile, difficult and aggressive, and telling a CEO who already doesn’t take data protection seriously that their DPO represents these people’s interests is toxic. This snake-oil may seem slick on a bullshit webinar, but if this unhelpful message reaches workplaces with already unsympathetic management, it’s going to make the work of beleaguered DPOs even harder.

I wonder if it’s a coincidence that Masson’s misreading of the GDPR could benefit his business – if the DPO really is there to serve the needs of the data subject, doesn’t an external figure make more sense than an in-house officer who won’t be doing what you want them to do anyway? There’s nothing in the GDPR that would make you think that this version of the DPO is correct, so it has to come from somewhere. If that’s it, rather than simple ignorance, I wonder if Masson has the guts to try to hawk this stuff in a forum where people might actually challenge him.

At this point, you might be thinking, so what? People talk shite to get business. They predict SARmageddons. They shout about 4% of annual turnover fines. They claim that first-tier decisions in Belgium should make you change your DPO.  Does it matter? Doesn’t every sector have its share of hype and froth? The answer is that I have to work in this one, and I think the truth matters. I also have to clean up other people’s bullshit. I have to overcome the hype and the scaremongering spread around by the other people in my industry. I know the popular mantra is that commercial folk should all be pitching in and helping each other, but by spreading misinformation, the likes of Rob Masson are already not doing that, so why should I?

The Information Commissioner’s Office isn’t going to enforce against organisations with an imperfect DPO choice – perhaps they should, but they won’t. They’ve done one GDPR fine in two years and I doubt we’ll see another one in 2020. Sidelined by government in the coronacrisis, facing a review from the DCMS (pointedly not postponed despite the pandemic) and humiliated by the collapse of multiple high profile actions, the ICO is an irrelevance. I’ll be surprised if they survive in their current form. The reason to choose the right DPO is that an independent, challenging person in the role will help organisations to make intelligent decisions that will build a culture of more secure, more accurate, more effectively used data. The DPO isn’t the voice of the subjects, they’re a valuable asset there to guide and assist the organisation. I won’t sell a single course place by saying so, but that doesn’t make it any less true.

 

SARmaggedon Days Are Here Again (Again)

Reading my emails, a headline leapt out at me: “The hidden cost of GDPR data access requests“. It led me to BetaNews, a website that looks like it is trapped in 1998, and a story describing research into SARs commissioned by Guardum, a purveyor of subject access request handling software. A sample of 100 Data Protection Officers were consulted, and you’ll never guess what the research uncovered.

SARs, it turns out, are time consuming and expensive. I award 10 GDPR points to the Guardum CTO for knowing that SARs weren’t introduced in 2018, but I have to take them away immediately because he goes on to claim that “There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process.” Apparently, lawyers are using SARs now. Imagine that. The article goes to say that “Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud.“. There’s also a bit of a spoiler about whether the Pope is a Catholic.

According to Guardum, the average cost of a SAR is £4,884.53, the average DPO receives 27 SARs a month, and each one takes an average of 66 working hours to deal with. The article didn’t explain how these figures were arrived at, so I eagerly clicked the link to visit Guardum’s website for the full results. What I found was a fountain of guff. Strip out the endless bar and pie charts, and what Guardum wants to say is that 45% of the DPOs surveyed would like to automate some of the process because of a predicted landslide of SARs, provoked by angry furloughed and sacked staff.

I’m not sure about the logic of this – I can understand that everyone who loses their job will be upset and probably angry, and I’ve certainly dealt with lots of SARs related to a suspension or dismissal. But in those cases, the action taken was personal and direct – an individual was singled out by the employer for the treatment in question. I don’t see why people losing jobs in a pandemic will be so determined to send a SAR. It’s not like the reason for their predicament is a mystery.

The survey questions are opportunistic at best, and at worst, seem designed to allow Guardum to paint this picture of anxious DPOs uncertain about how they’re going to handle the post Covid-19 SARmageddon that the company is evidently desperate for. 75% of respondents are described as having difficulties dealing with SARs during the lockdown, though this actually translates as good news. 72% are coping but expect a SAR backlog when they get back to the office, while just 3% fearing a ‘mountain’ of requests. The headline on one slide is that 30% anticipate a ‘massive’ increase in SARs, but the reality is 55% expect the same as before and 15% think they’ll get less. 73% supposedly think that furloughed or laid off staff will be a ‘big factor’ in the predicted increase, even though the breakdown shows that only 20% think it will be the single biggest factor. To emphasise, these are requests that haven’t happened yet. The people who say that they will are the ones flogging the software to deal with the problem.

So far, so what? Guardum have software to sell and a cynical pitch about Covid-19 to achieve that. Does it matter? In the grand scheme of things, no, it doesn’t. I’m probably not the only person currently experiencing a crash course in What’s Really Important. But in the micro scheme of things, bullshit deserves to be called out, especially when it’s designed to exploit a crisis that’s causing misery and death across the world. Many of the revelations in this survey are staggeringly banal – nearly 50% of people find tracking the data down across multiple departments to be a slog, while 63% have to search both paper and electronic records. Who with any experience in Data Protection would think it was worth pointing this out? Meanwhile, the assertions about how long a SAR takes or how much it costs are wholly unexplained. It’s meaningless to claim that the mean cost of a SAR is £4,884.53 if you don’t explain how that was calculated (inevitably, the CTO is touting this figure on LinkedIn).

Guardum aren’t necessarily the experts at Data Protection that they might have us believe. For one thing, despite being a UK company, both the survey results and their website exclusively refer to ‘PII’ rather than personal data. For another, part of the criteria for participating in the survey was that the DPO needed to work for a company with more than 250 employees. This was, for a time, the threshold for a mandatory DPO but despite being changed, some dodgy training companies and consultants didn’t notice and ran courses which highlighted the 250 figure even when it was gone. Most importantly, nearly half of the people who responded to the survey don’t know what they’re doing. The survey was purportedly targeted at DPOs, but 44% of respondents are identified as being in ‘C-level’ jobs – perhaps this is to give a veneer of seniority, but C-level jobs are precisely the senior roles that are likely attract a conflict of interests. Guardum talked to people in the wrong jobs, and apparently didn’t realise this.

The ‘About’ page of Guardum’s website proclaims “Guardum supports privacy by design – where data privacy is engineered into your business processes during design rather than as an afterthought“, but the execution is less confident. There is a questionnaire that shows how much an organisation can save by using the Guardum product, but when you complete it, you have to fill in your name, company and email to get the results, and there’s no privacy policy or transparency information about how this information will be used. Moreover, if you try to use the contact form, clicking on the link to the terms and conditions results in ‘page not found’.

I have to declare my bias here – I don’t believe that any ‘solution’ can fully deal with the SAR response process, and I think people who tout AI gizmos that automatically redact “PII” are probably selling snake oil. Some of the SAR grind comes in finding the data, but a lot of it is about judgement – what should you redact? How much should you redact? Anyone who claims that they can replace humans when dealing with an HR, mental health or social care is writing cheques that no product I have ever seen can cash. So when I land on a website like Guardum’s, my back is up and my scepticism is turned all the way up. It would be nice if once, I saw a product that wasn’t sold with bullshit. But not only is Guardum’s pitch heavy with management buzzwords, they’re using fear as a marketing tool. Just last week, they ran a webinar about weathering the ‘Post Pandemic DSAR Storm‘.

Guardum claim that they provide “the only solution that can fully meet the DSAR challenge of responding in the tight 30-day deadline, giving you back control, time and money that are lost using other solutions“. Nowhere do they mention that you can extend the deadline by up to two months is a request is complex (and many are). But even if their claims are true, why do they need to sell their product via catastrophising? If their expertise goes back to the 1984 Act, why are they calling it PII and talking up the opinions of DPOs who are in the wrong job? Why oversell the results of their survey? Why hide the basis of the hours and cost calculations on which is all of this is being flogged?  And what on earth is a ‘Certified Blockchain Expert‘?

The future post-Covid is an uncertain place. I find the utopianism of some commentators hard to swallow, partly because people are still dying and partly because the much-predicted end of the office will have career-changing consequences for people like me. But at least the LinkedIn prophets are trying to explore positives for themselves and others in an undeniably grim situation. The people running Guardum seem only to want scare people into getting a demo of their software. If one is looking for positives, the fact that the ICO has waved the white flag means that no organisation needs to be unduly concerned about DP fines at the moment, and despite some of the concerns expressed in Guardum’s survey, nobody in the UK has ever been fined for not answering a SAR on time. The old advice about deleting data you don’t need and telling your managers not to slag people off in emails and texts will save you as much SAR misery as any software package, and I can give you that for free.

Actually Asked Questions II

Last year, I wrote a blog asking for questions from fundraising and charity professionals about Data Protection for a guide that I was writing. Despite something of a lull between asking and delivering the guide, those ‘Actually Asked Questions’ were one of the things I thought worked best. It was great to include real questions from real, lovely people.

I am doing it again. This time, the guide I am writing is shorter and more focussed than the charity one, although it is not for charities, but for any data controller. The subject is choosing a company to provide your Data Protection Officer (AKA DPO as a Service). Most organisations that need a DPO will recruit a staff member, and to be honest, that’s what I consider to be the wisest choice. Nevertheless, the GDPR plainly allows data controllers to hire DPOs under contract, and many so-called GDPR experts and companies are offering themselves as DPOs on Demand. I am writing a short practical guide, containing questions and tips for anyone who is thinking of hiring a company to provide DPO as a Service. What should you look for? What should you avoid? How do you spot the cowboys? What questions should you ask?

FULL DISCLOSURE: I am not going to be a DPO for hire, either by myself or via any organisation. I have turned down several organisations already (two in particular who know they are and that I adore). This is not a way to get you to hire me, although an organisation did have me on the interview panel for their DP officer role recently, and I WOULD SNATCH YOUR HAND OFF TO DO THAT AGAIN.

What I would like to know is this: are there any questions you have about DPOs as a service, or hiring a DPO generally? If possible, I will extend the text to be a general guide to getting a DPO internal or external, but at the moment, I have more material on the external side than the internal side.

Send me a question, send me an issue you’d like to see someone talk about, send me anything you’d like a smart-arse to think about when writing a guide like this. You will not be mentioned in the guide unless you want to be, and the guide will be free to anyone who wants it.

SEND ME YOUR QUESTIONS HERE: tim@2040training.co.uk

DEADLINE: September 30th 2017

If you approve of this endeavour and would like to promote it, please do.