High stakes “Hide and Seek”​?

“That GDPR? All a flash in the pan – flash in the pan – I tells ya!”

Oh dear. I’ve heard this a few times. GDPR and the Data Protection Act (2018) are “this year’s Y2K” – and look what a damp squib that was! – or a vehicle for whiplash claims (pun intended) or a cash-in for companies who previously chased PPI claims.

I have spoken to organisations whose strategy for GDPR is to hope that their competitors have a breach and to swoop in and take their customers.

But how?

How in all that’s holy will that play ever expect to work?

Our competitors breached your data! Come to us – we have no protection for your data either!

Doing nothing is not ‘strategic’. Planning for how to fulfil the legal obligations on your organisation with regards to data protection is a strategy…

Is that enough?

Would that it were. One misguided soul showed me their GDPR ‘strategy’ and after metaphorically blowing the dust off it I asked how far along they were with delivering against the strategy, only to be met with a dumbfounded, “We have a strategy..?!” as thought that was a panacea.

In the event of a data breach, having a rough-hashed plan which was never undertaken would never be enough. It might actually be worse than having nothing, as it shows that instead of ignorance of the law, the organisation had contempt for the law.


It’s fair to say that I have spoken with organisations whose approach to GDPR has been pragmatic, measured and an exercise in professional management of risk. Whilst we can’t earn a bean from them at present, they have shown a willingness to move with the law as it is supported by new case law, so that door isn’t closed and I have to doff my cap to the people running those organisations. It has even changed my buying habits in one instance, such was the commitment to managing my personal data responsibly.

“Show me the money!”

The months leading up to May 25th this year were punctuated by puff-pieces from people who had gained a GDPR qualification the week before and wanted to make ‘bank’ with all of the opportunities that were (supposedly) there. These people have largely moved on to other things, leaving only the committed in the market to offer their consultancy. There is a very small cadre of people whose knowledge and guidance I would (begrudgingly!) wish well if they beat us to a piece of work, but they are already tied into projects. If – as some suspect – a serious fine is handed down from the ICO in the near/mid term, where will organisations whose response to GDPR has been, ahem, “casual” find the knowledgeable resource to help them?

Should I care? It will be a seller’s market – hoorah!

But… There are people’s livelihoods on the line here.

Employees who may find that their employer has imploded because no one told Terry in Marketing not to email everyone’s home address and credit card number to everyone else in the CRM system, or because it’s far cheaper to run the HR system form PyongYang than Peterborough.

A little guidance needn’t cost a fortune. For example, we offer a “GDPR Project Management” service where we only engage with clients when they need guidance in their gap assessment. We do that via video conference or a phone call in order to keep the client’s costs down (plus, there’s no romance for me in staying in a Premier Inn in Swindon) and to ensure that meetings are to-the-point and leave all parties with an up-to-date work package and a deliverable date, so that they can fit this around their day job.

The immediate benefit? They understand why the work is happening and begin to build it into their processes because it is on their mind, rather than Athene Secure swooping in, doing GDPR to them and then leaving the team with a nice report, a set of actions and recommendations and an invoice. They can ask us questions at the meeting and begin to appreciate the obligations which may have never been addressed by their company previously.

As much as I would love to sit in someone’s offices on a day-rate, eating all the biscuits and talking “data protection” there are many organisations who can’t afford (a) a day rate for a few days in order to complete the work and/or (b) to take key employees out of commission to tell me where they store their CVs and to ask whether they need consent to take staff photos at the work’s Christmas do (don’t get me started…)

The GDPR Project Management approach which we call “Chronos” is a pragmatic route to helping companies who have spoken to ‘Peter Practitioner’ and have been offered day rates which are more than some salaried employees earn in a week…

So… Hide and Seek?

It’s not a good approach. Hoping to see competitors hit with a data breach and learning from their experience – not a good approach. For the reasons listed above, simply expecting to vacuum up customers when a competitor struggles is making your organisation more likely to breach.


Because you probably don’t have robust systems in place to support a sudden influx (if you do – congratulations, but – get a second opinion, perhaps?) and if someone is creating ad hoc policy to deal with increased numbers then your “Privacy by design / Privacy by default” is not going to be in evidence.

It may take time, but if the ICO picked your business at random because your industry has shown no interest in data protection as a whole, where can you hide?

What about a customer who believes that you aren’t a good custodian of their personal data? Could your business handle a Subject Access Request. Here’s a clue – lying to a data subject that you don’t hold any personal data on them is never going to be a good idea…

You come to an impasse with an employee. You believe that they don’t possess an alarm clock because their 9am start is often a “best endeavours” and their seat is still stone cold at 9.25am. If they find the contents of their desk in a Pickfords box and they know that your data protection policy is filed in Narnia and your processes are as stable and mature as a fourteen year-old with a bank card and a false id – the whistle-blower could make life very uncomfortable if they can raise sufficient interest at the ICO.

Why not get the right people in now – before you’re having to hire new entrants into the data protection profession who can spell “GDPR” and so think they might like to give it a go for the day-rate?

This isn’t a plea for work. Far from it. It’s a plea for UK Plc to engage with the regulation now and get everything ticking along nicely. Speak to those brave souls who fly the flag for compliance and the regulation. We don’t bite – none of us in the profession. We aren’t even “I told you so” Jobsworths who want to make your life difficult and business impossible.

We have all worked at senior levels and are suitably qualified (I was a Board member at a global organisation and my MBA wasn’t delivered in a cornflakes box – and I’m no ‘Unicorn’ in the profession). There is a pragmatism and a perspective in all of my wider colleagues in the profession which is just praying to help you and to show you that GDPR could actually save you money. We recently saved one company a six-figure sum per year because they needn’t/shouldn’t operate in that way any more and it saved the business a real headache (we really should be on a percentage finder’s fee for these savings..!)

With Brexit and its unknowns looming large next year, doesn’t it make sense to get GDPR out of the way until the next review so that you can work on stocking up on food and medical supplies (as seems to be the thinking at the moment)?

Leave a Reply

Your e-mail address will not be published. Required fields are marked *