Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

and

the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.

Stinking Badges

The list of things that annoy me about the explosion of hype and bullshit around GDPR is long and boring (NOTE TO SELF: this list should be a blog post of its own). I cannot say that top of the list are those badges that folk give their products, boasting about being “GDPR Ready”, or “GDPR Compliant” when nobody actually knows what being ready or compliant looks like, but they’re top five.

Screen Shot 2018-01-16 at 21.45.42.png

I was complaining about this on Twitter, and lovely people who enjoy seeing me annoyed started to send me examples of these badges from across the internet. It is via this route that I came to Emailmovers, a data broker who make luxurious claims about their data and its relationship to the GDPR.

Not only do Emailmovers have a badge, they claim to have been working closely with both the Direct Marketing Association and the Information Commissioner’s Office on GDPR issues. Indeed, until someone kicked up a fuss about it, Emailmovers had the Information Commissioner’s logo on their website. The logo has gone now, but if you work out where it was and click, there is an invisible link to the ICO’s website where it used to be.

Emailmovers certainly put up a strong case about the nature of the data they’re selling:

1) We are clear with individuals why we need their data at the point of collection
2) We always use clear and concise language appropriate for our target audience
3) We give individuals control over their data. They are always able to decide whether to share their personal data with us or not
4) Under the GDPR principle accountability, Emailmovers is able to demonstrate that we are compliant. We always record the legal grounds for processing an individual’s personal data

I can’t say that any of this is untrue, although I am sceptical. Generally, I think that the data broking industry is irredeemable, incapable of operating lawfully either now or in the future. The data broker acquires data, accumulates and appends it, and then sells it to clients. This is the opposite of fair. However, and wherever the data was obtained from, whatever transparency or fair processing was given to the subject, it would be vague. It could not say which specific organisations would receive the data, and often, it could not even say which sectors. The data broker does not know – they sell to whoever is buying. This kills consent – which was supposed to be informed and specific since 1995 – and it kills legitimate interest. How can you assess the effect on the subject if you don’t know when obtaining the data what you’re going to do with it? If a data broker obtained individual email data under legitimate interest, they couldn’t sell it on for marketing purposes, because the client will not have consent to send the marketing in question by email.

None of this will stop the data broking industry from carrying on – when some of the biggest brokers are ICO stakeholders whose activities have gone unchecked for decades, it’s hard to imagine that the GDPR will make much of a difference.

Nevertheless, there was one thing about all this that I was able to check. I made an FOI request to the ICO asking about contact that Emailmovers had had with the Commissioner’s Office, particularly with the policy and liaison teams. If Emailmovers really had been working closely with the ICO, there would be evidence of this, right? The ICO’s response was revealing:

There was no direct contact between Emailmovers and our Strategic Liaison/ policy department concerning advice about GDPR.”

Emailmovers had made a couple of enquiries – ICO was too cautious to tell me what they asked, but they supplied the replies which offer no more than a simple (but accurate) explanation that business to business communications are covered by the GDPR, a brief observation that the ePrivacy Regulation is coming but we cannot be sure what it will say, and separately, a straightforward note that even corporate subscribers need fair processing. This is not working closely with the ICO – they asked a couple of questions and got short polite answers. There are no meetings, no detailed correspondence, nothing at all to suggest anything approaching the relationship they boast about here:

Screen Shot 2018-01-16 at 21.47.35

I can honestly say that I am in regular contact with the ICO about a variety of matters. It sounds good, but it’s true only because I nearly gave evidence in one of their prosecutions (they didn’t need me in the end), I make a lot of FOI requests to them, and I tweet at them almost daily.

I don’t accept that making a couple of enquiries equates to working closely with someone. The fact that Emailmovers make this claim on their website, and displayed the ICO logo prominently until recently makes me very uneasy about the other things they say. The GDPR sector is full of bullshit and exaggeration, fake certifications, hokey badges and bluster. As we near the supposed cliff edge of May 25th, we should all take the time to check every claim with great scepticism, and to treat the badge-toting hordes with the same caution that Humphrey Bogart treated a certain bogus Federale:

2040 vision

The turn of the year is always an opportunity to make resolutions in your personal or professional life, but it’s hardly a revelation to observe that such aspirations often evaporate. The easy option presents itself, and the temptation to take it is difficult to resist. For many years, I have claimed to be a “freelancer” but in fact, although I’ve been doing my own thing since 2008, quite a lot of my work has come from Act Now Training. Every year, I tell myself that this is the year that I will cut the apron strings completely and strike out on my own, and every year, I don’t quite get there. I’ve done some fascinating work for a variety of people, but I haven’t found enough of it myself.

2018 was already shaping up to be an interesting year, given that the much-hyped General Data Protection Regulation will finally be enforceable, and we will find out whether the apocalyptic predictions of The Certified will come to pass (SPOILER: they won’t). Reader, that isn’t interesting enough for me. Much as I am grateful to Act Now for offering me my first training course in 2005, and for all the opportunities they’ve given me since, all good things must come to an end. I had to turn down all sorts of opportunities in 2017 because of all the courses I was running, and there are a number of things I’ve always wanted to do, but simply didn’t have the time. So from March 1st, if you want to be trained by me, or use my services, it’s 2040 Training or bust.

A couple of announcements in this context:

PUBLIC COURSES!

I am running some public courses with a practical, procedure based approach in London and Manchester. The first is a ‘GDPR SOS‘ course for those bodies large and small who either haven’t prepared for GDPR’s live incarnation, or don’t know whether they have got what they might need in place. It’s commonplace in the Data Protection world to sneer at those who haven’t thrown themselves into a compliance frenzy, but rather than brag about putting up my daily rate (which some LinkedIn GDPR bods have said they would do in 2018), I thought I would put on a no-nonsense, plain English guide for those who want to get up to speed. The first courses run at the end of March, and you can find out more about them here: http://2040training.co.uk/gdprcourses/

Following on from the SOS course, I hope to be running a detailed practical course on the GDPR rights in April and May, taking into account guidance from the ICO, the Article 29 Working Party, the DP Bill / Act, and of course, the many cases and examples that we’ve already got from 20 years of Data Protection. There will also be a course on PECR and Direct Marketing.

These courses will not be ‘Article or Section X says Y’ but will be based on real-life cases and scenarios. Both, and a range of other options, are of course available in house, and everything else that I can do for you is listed on my website, a link for which is above.

MORE GUIDES!

I wrote two free guides in 2017, one on fundraising and Data Protection, the other on choosing a DPO as a service. The feedback on both has generally been very positive, apart from the DPO as a service people who didn’t like reading that experience  is an essential part of being someone’s expert. It is. Live with it.

First, I am updating the fundraising guide to make it solely about GDPR and the DP Bill to the extent that this is possible. I want to complete this soon, so if any fundraisers have any specific questions about GDPR that you’d like to see answered, especially if you read the original and know the kind of questions I featured next time around, let me know but quickly!

Send any questions, as soon as you can, to: fundraising@2040training.co.uk

Second, I will be writing a guide for GDPR and Councillors – a simple guide to Data Protection as it relates to the role of a local elected politician. It’s not going to cover what councils do, but the way in which a councillor operates their office, deals with constituents and how they store data. Once again, any questions or concerns about this area from Councillors and those who work for or with them would be very welcome. I hope to get this finished by the end of February, so any questions or comments that you can send before then would be more than welcome.

Send any questions (preferably before 20th Feb) to: councillors@2040training.co.uk

Both the updated Fundraising guide and the Councillor guide will be free and available to download from my website.

After these two are done, I will be working on a number of other guides including the use of violence warning markers under GDPR, and no matter how unpopular this will make me, a free guide for individuals who want to use their Data Protection rights. If you have thoughts or comments about this, please let me know.

EMPLOY ME!

Seriously, I’m available. More here: www.2040training.co.uk.

Summit to hide?

On at least three occasions in the past year, a member of staff from the Information Commissioner’s Office has spoken at conferences organised under the banner of GDPR Conference or GDPR Summit. Garreth Cameron has appeared twice, and Lisa Atkinson was at the latest event on October 9th. Nothing odd about this, you would think – the ICO clearly wants to spread its message (such as it is) to a wide audience, and conferences are a way to do it. They should be wary about showing favouritism and they’re not very good at avoiding it – a certain Assistant Commissioner often appears at a certain training company’s courses, and appearing three times at one company’s commercial events comes close to being an endorsement.

But even if such regular support for a conference would otherwise be justified, in this case, I don’t think it is. It’s not easy to find out from the GDPR Summit website who is actually organises the conferences. A little bit of digging suggests that it is a company called Amplified Business Content. Amplified Business Content is also responsible for ‘GDPR Report’, which used to publish articles for free but has now gone to a subscriber model. Having an opaque company structure isn’t compliant with Data Protection because it’s not clear who the Data Controller is. Moreover, some of the material on their website is garbage – they have published quizzes with wrong answers, and harvested information without a privacy policy (though I noticed that after people on Twitter made a fuss of it, they stopped demanding email addresses to get scores on the quiz). Via GDPR Report, the organisation has pumped out reams of vague, badly-written stories including one titled ‘The Data Protection Apocalypse’ that claimed that organisations need consent for all processing – it was so bad that after a morning of criticism via Twitter and other sites, they had to delete it. Worst of all, Amplified Business Content has not notified the ICO under Data Protection – unless they are exempt (which for a conference organisation is hard to believe), this is a criminal offence.

Given that the ICO have given Amplified Business Content so much support, I wondered whether they had done any due diligence on the organisation before agreeing to speak at their events. Under FOI, I asked for the following:

Any information about due diligence carried out by the ICO before accepting invitations to speak at these events, including whether ICO staff checked if the company had a notification, and whether their materials and publications were accurate and reflected the ICO’s approach to the GDPR

Any procedure that requires ICO staff to carry out due diligence before accepting speaking engagements

The answer was that no information was held. The best they could offer was “We apply our speaking engagement policy here when making a decision whether or not to accept a request for a speaker“. Needless to say, the speaking engagement policy does not include any requirement to carry out due diligence. In other words, the fact that Amplified Business Content has not notified and has spread misleading and unhelpful information about a Data Protection apocalypse is irrelevant to Wilmslow. They’re not even expected to check whether the organisation has taken the most basic steps to comply with Data Protection law. This is remarkable, especially at a time when so many dodgy people have flooded into the Data Protection market.

Their answer to the first part of my request was more interesting, and more worrying. I asked for:

All correspondence between the ICO and Amplified Business Content or those purporting to represent GDPR Conference or GDPR Summit or GDPR Summit Europe (or other variations on the theme of GDPR Summit).

I’ve done this before, both with the Privacy Laws and Business Conference (which led to this blog) and True Swift, another organisation for whom the ICO has done several online courses. Both times, the ICO gave me detailed correspondence between themselves and the organisation, which allowed me to see, among other things, Stewart Dresner of PLB complaining that he doesn’t have special access to news about ICO activities. This time, however, the ICO has refused to give me any of the correspondence. The exemption they used is a prohibition on disclosure that applies when organisations supply data to the Commissioner when information “has been obtained by or furnished to the Commissioner under or for the purposes of the Information Acts”. In other words, ICO claims that when arranging their spots at the GDPR events, they were exercising their functions under the Data Protection Act. Needless to say, the refusal doesn’t say which function they were exercising – presumably I am expected to guess. I think the only function that could apply is the duty to promote the following of good practice under Section 51, but the idea that Parliament intended conference arrangements to be secret is a fairly bizarre idea.

Only two possibilities present themselves. The first is that the ICO’s policy is only to release material such as this with the consent of the organisation (which the prohibition allows), so PLB and TrueSwift consented to the disclosure and Amplified Business Content refused, which begs the question of what ABC have to hide. Their internal business arrangements are nobody’s business but theirs, but when dealing with the regulator, they should expect to be more open. I’ve made fun of Dresner following the disclosures, but the emails I received didn’t show him or his company doing anything inappropriate – the only criticism I’ve got is that the ICO should hold all organisations at arms length.

The other possibility is that the ICO is being inconsistent. They didn’t use this exemption before, but there is something awkward or embarrassing about their relationship with ABC that they want to cover up. Either way, it isn’t a good look for the transparency regulator to be hiding information about its dealings with a private company. The prohibition allows data controllers and public authorities being investigated for DP and FOI breaches to provide secret business information to the Commissioner with the confidence that it won’t be disclosed. This is entirely justifiable – otherwise, no organisation would ever give the ICO information they had withheld from an FOI or subject access applicant in case the applicant then tried to use FOI or DP to get it from Wilmslow.

This case is very different. The ICO has scant resources, and yet has regularly provided speakers to a commercial company with a spotty approach to Data Protection and is using the prohibition on disclosure to prevent legitimate scrutiny of their relationship. The prohibition does allow disclosures that are ‘necessary in the public interest’ – given ABC’s dissemination of scaremongering articles and possibly illegitimate non-notification, I am convinced that the public interest does support transparency here. Of course, the ICO might argue that if they disclose, this will deter conference organisers and others from approaching them – but who cares? This is far from a core activity for the Commissioner. If you’re not willing to be open in these circumstances, what has anyone involved in this got to hide?

Things To Come

The imminent arrival of the #GDPR, as many have already noted, has resulted in a huge amount of speculation, prediction and scaremongering. Stories of massive fines, a torrent of crippling class action lawsuits, 75000 DPO jobs and the emergence of a new volcano in the fields outside Wilmslow* have all captured our attention. Nevertheless, just when I thought I had heard everything, Lawrence Serewicz proved me wrong.

Mr Serewicz issued, with the certainty of an Old Testament prophet, this astounding claim:

Quick #gdpr prediction. By May 2019 the ICO will have issued more, in terms of number of and amount of, “fines” than in the previous years of the MPN era *combined*.

This might be the wildest prediction anyone has made since the GDPR first dropped from the sky (sidenote: feel free to link me to dafter ones). By my quick and dirty calculation, this would mean GDPR fines in excess of £9million and more than 100 fines between May 2018 and May 2019. This isn’t going to happen. Even in a parallel universe where we had a Commissioner who liked taking action, they couldn’t fire out 100 fines in one year. It is inconceivable.

It is probably fair to say that Mr Serewicz and I do not have a relationship marked by mutual respect or affection, but for once, he has inspired me. The idea of predicting what the first year of GDPR will involve is a brilliant one, and I have decided to have a go.

Below are 12 predictions about the first 12 months of GDPR in the UK. For every one that I get wrong, I will donate £20 to the charity Mind. And here’s where you can join in. Look down the list, and see if you disagree. If you spot a prediction that you think will not come true, let me know – in the comments here, on Twitter, via LinkedIn, or via email. If you are right and I am wrong, I will publicly admit that this was the case on this blog. I will celebrate your perspicacity. But if I am right, and you are wrong, you will donate £20 to a charity of your choosing. You don’t have to do anything else and I will not make fun of you. Nobody makes any money except good causes, but imagine me having to grovel and highlight your superior knowledge in print. If three people say I’m going to get one wrong and I don’t, each one makes their donation, but however many people bet against me, if I am wrong, I just pay one £20 per prediction. I will still praise those who get it right.

I will not be a smart-arse about general comments and reactions on social networking sites – if you want to join in, contact me directly and say you want to take up the charity challenge on one of these predictions.

PREDICTION 1

The total amount of GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 will be less than the total of all DP CMPs up to today’s date.

Yes, this is half of Mr Serewicz’s prediction. Guess what prediction 2 is?

PREDICTION 2

The total amount of GDPR fines (not including PECR and legacy DPA fines)  issued between May 2018 and May 2019 will be less than the total number of all DP CMPs up to today’s date.

PREDICTION 3

There will be less GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 than between May 2017 and May 2018.

That’s right – I predict the number of fines will decrease in GDPR’s first year of operation.

PREDICTION 4

There will not be a €20 million or UK equivalent fine before the end of May 2019.

I intend no weasel get-outs here – we all know what I mean here. There will not be a maximum possible fine in any circumstances.

PREDICTION 5

There will not be a 4% of annual turnover before the end of May 2019.

As above.

PREDICTION 6

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a €10 million or UK equivalent fine before the end of May 2019.

PREDICTION 7

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a 2% of annual turnover or UK equivalent fine before the end of May 2019.

PREDICTION 8

No UK public authority will be fined more than £1 million before the end of May 2019.

PREDICTION 9

No UK company will be fined more than £2 million before the end of May 2019.

I want to be wrong on this one as there will be deserving breaches. I don’t think I will be.

PREDICTION 10

No charity will be fined more than £50,000 before the end of May 2019, unless for a security breach.

PREDICTION 11

No GDPR class action case will have been concluded with a total damages payout of more than £1million before the end of May 2019.

PREDICTION 12

Five of the companies registered on Companies House today with ‘GDPR’ in their name, or a company name whose initials spell ‘G D P R’ will no longer be offering Data Protection services in May 2019.

BONUS ROUND

These ones just for fun as they cannot be measured

  • the number of people describing themselves as ‘Certified GDPR Practitioners’ on LinkedIn will be half what it is now
  • nobody will change their profile to say ‘Certified GDPR Practitioner’ on LinkedIn during May 2019
  • the ICO will still be asking for more staff
  • we will all wonder what all the fuss was about

AND FINALLY: do you have a prediction in the style of those above? If you do, let me know what it is. If I get at least five predictions (and a maximum of 10, I’m not made of money), next month, I will write another blog made of reader suggestions. If this comes off, I will say whether I agree with them or not, and if I disagree with them, it’s another £20 to Mind from me for every one that I get wrong. But contributors must promise that if they get it wrong, they will pay the £20.

This will go wrong in one of two ways. It will capture people’s imagination, and I have given myself a shedload of admin. Or nobody will care, and nobody will join in. But we’ve all read a pile of predictions since all this GDPR nonsense started. Let’s have a bit of fun, and raise a little bit of money for charities at the same time.

 

* In 2017, anything is possible.