Last week featured a number of frustrating meetings. Frustrating – not because they led to zero sales (although that might have been a factor otherwise) – but because it provided a microcosm of the problems being faced by organisations when key decision-makers think they know what they are doing, but patently don’t.
Three blind mice. I’m not seeking to patronise the senior manager of these businesses, but the fact that three of these meetings led to the revelations later in this article leads me to consider the old nursery rhyme:
Three blind mice. Three blind mice.
See how they run. See how they run.
They all ran after the farmer’s wife,
Who cut off their tails with a carving knife,
Did you ever see such a sight in your life,
As three blind mice?
Meeting Number 1 was a company we shall call “Marketing Misdirection.”
On meeting the Head of Marketing, it became apparent that my “service” was simply to endorse their stance on DPA(2018). Okay – second opinion – I get it.
This company still buys in those “Nine million email addresses of key decision-makers!” mailing lists. And uses them. How so? Well, apparently, their legal basis is “Contract”.
I struggled with this, to be honest. After delving into the detail, it transpires that this company believes that they can use Article 6(1)(b) because – paraphrasing – they can “Give our potential customers some fantastic offers that they probably wouldn’t find for themselves!”
I racked my brain for my Law “A” Level studies of <mumble> years ago and, having dismissed Donoghue v. Stephenson, I said that Contract Law is ancient, well-defined and tested, with a lot of precedent. In these circumstances, where is the offer to the data subject? Where is the “consideration and intent to create legal relations”? Where is the consideration? Probably more importantly in this context – where is the acceptance?
I expressed the opinion that they were behaving like someone taking a trolley full of goods out of Sainsburys without paying on the basis that they would fulsomely extol the virtues of Sainsburys and how wonderful they are, in return for a free shopping trip. Wihout Sainsburys’ agreement.
Anything I said was rebuffed with a patronising, “I’ve been in Marketing since I ran the campaign to get animals on a boat, two-by-two and this here GDPR is no different to what has gone before!”
Fines? Loss of reputation? Civil litigation?
“We’re too small to be bothering the privacy police” is a direct quote. Yeah… The farmer’s wife is over there…
Constrain the risk
Company Number 2, who I’ll call “Invisible Paperwork Ltd” told me, with no hint of a joke, that they had decided that the “forty or so” filing cabinets with personnel records were going to be out of scope for them for GDPR. If they stated that the paperwork was out of scope on their audit preparation then they had nothing to worry about.
I wanted to know the location of the filing cabinets because – at that point – I needed something solid to bang my head against.
The farmer’s wife is over there, sir, and she should be on your scope any day now…
Rumpole Rides Again
The final company, who I’ll call “Partner Payout Principle Ltd” got me in for no valid reason I could understand.
Every question was answered with “We have the company’s lawyer on that.”
I respect lawyers – you never know when you might need one on your side. I struggle to see how a lawyer can give an opinion on technical and organisational measures to protect data? I fully appreciate that some legal firms have teamed up with other professionals to offer a full-suite service, incorporating cyber security, marketing advice, employment law advice, operations advice, but “Partner Payout Principle Ltd” was referring to lawyers for legal answers to technical questions.
Apparently, my place in this was “interloper”. As I am not a lawyer, I have no place in working with companies to address DPA(2018) and GDPR.
I tried to re-frame the discussion.
“You have a responsibility for health and safety, don’t you?”
“Yes,” came the reply, smugly.
“Do you call your legal advisors when you need new fire extinguishers?”
“Ha, ha – no! But that’s different.”
“How so? If you break the law there are potentially unlimited fines or custodial sentences for directors? The difference is, you could have disgruntled former employees, unhappy customers, competitors, the regulator’s auditors themselves – all looking to see you in court. Can your lawyers advise you on anti-malware? Do they have any experience in writing processes, defining policies?”
Now, if they’re happy to spend upwards of £200 per hour on legal advice then, fine. I could save them a lot of money and offer a service based on <mumble> years in data protection and information security. I can offer a “win/win” on implementation and I come from a business background, so I keep an eye on improving the bottom line.
Mr. Manager of “Partner Payout Principle Ltd”- if you look over there, yes – holding the carving knife. Yes – that’s the farmer’s wife…
The moral of the story?
I’m not sure there is one, really. I don’t want to preach or moralise, but I’m seeing a lot of people plumping for one consultant and taking their word verbatim. I’ll bet that anyone with a responsibility to staff will have a smattering of HR knowledge to bring to bear (“Hi, welcome to the job interview. Are you planning to start a family any time soon?”!!!!!!), some H&S knowledge and knowledge of the laws pertaining to their industry sector. Cool. Love it.
With this regulation so fresh on the statute books, it might be worthwhile canvassing opinion and getting an understanding of the headline facts about data protection and privacy as it applies to a particular industry. When I’m working with a client I welcome them speaking to other practitioners because it:
- shows that the client is developing an interest in the subject, not just paying lip-service (which will be found out, sooner or later)
- shows a fundamental desire to protect the organisation at hand
- gives me an opportunity to address immediate concerns and discern exactly where the client is uncomfortable, thereby giving me a chance to inform and deal with those concerns
- Shock! Horror! Terrible admission to make! I don’t know everything and a valuable third-party input enlightens everyone (anyone who says that they do know everything? Yeah… Jog on)
One thing that has left me mystified, though, is the fact that these three blind mice called me in with (apparently) no intention of engaging our service? Who operates like that in the real world?
“Hi, yes, is this Beryl’s Double Glazing? Yeah, great. Look – I live in a fourth floor flat in a high-rise and I was wondering if you could come round and give me a quote on a conservatory leading off from my lounge? Hello..? Hello..?”
There are none so blind as those who will not see…
“Polite Conversation.”Jonathan Swift, 1738.
…I wonder if the farmer’s wife was ever referred to as “Elizabeth”?