Where is the ICO?

I must confess a potential conflict of interest in that I am a director of a company which provides data protection advice (along with cyber security and other services), so this will probably come across as self-serving, however – I’m a data subject just as you are.

We find ourselves five months into the General Data Protection Regulation in Europe, in general, and the Data Protection Act (2018) in the UK, particular.

Has there been any instance in the UK of an organisation being fined under the new regulation?

We have seen Facebook fined for offences under the previous Data Protection Act (1998) and fines apportioned, commensurate with that regulation and this is entirely understandable, as the activities occurred and were reported under that law.

What of the new Data Protection Act?


There is no guidance for organisations, based on adjudications from the regulator. Not one organisation has been censured for their poor handling of personal data and so there is a growing feeling – almost a certainty – that the regulation is toothless. The regulator, especially so.

Why should any organisation spend a solitary penny on compliance when there is not even a threat of sanction? Where is the protection of the data subject, driven by expected data protection practices? There seem to be no additional protections driven by the regulation over and above the former Data Protection Act?

This is an interesting situation. We are now in a position where organisations can be found to be manifestly falling short of the requirements of the regulation wherever they collect personal data. Every organisation which captures personal data has an Article 13 obligation to explain how the data is to be used, on what legal basis, where the data will be processed and by whom.

In speaking with peers in the world of data protection it seems that boilerplate text, copied after a cursory Google search, seems to be the order of the day. These privacy notices fall short of the requirements of the regulation and are a manifest example of an organisation’s failure to adopt the requirements of the regulation.

Surely, these instances would be easy to sanction?

I can fully appreciate that an audit, commenced on the 23rd May 2018 when DPA(2018) came into force, would most probably still be under investigation. Expecting the ICO to produce a report on an organisation within six months of the regulation coming into force is naïve, but the tools to compel organisations to meet their obligations are in place.

I’m led to believe that the ICO is receiving complaints from data subjects and that these are being logged and marked for investigation.

Elizabeth Denham has already intimated that the first effort of the ICO will be to educate, inform and guide towards compliance. Laudable. Not happening.

It would be the work of a matter of moments for a review of a website to see if there is a privacy notice and whether it would pass muster. An email to the organisation, outlining that they are under complaint and that first indications suggest that their data protection isn’t as expected, would be an excellent driver for organisations to pursue some sort of conformance with the requirements of DPA(2018). It would also serve to prevent a financial sanction, as the organisation would be building their defensible position prior to the audit; their mitigation would be being built and their potential fine lowered.

As it stands, the ICO is not serving anyone.

The data subject has to wait for their “day in court”. The organisation, which may be investigated with no prior warning, has no preparation in place. The ICO has stretched resources, so the situation is prolonged.

With no compulsion from the regulator, organisations (on the whole) will do nothing. Why spend £1000 in protection when the fine may never come along or be a fraction of the cost of compliance. It doesn’t make business sense.

This leaves us in the situation where we have a data protection regulation which isn’t protecting data subjects’ data.

We have had two years, from April 2016, for the regulation to be embedded and for organisations to be protecting person data.

Where was the leadership from the regulator?

Where was the preparation from the regulator? Salaries were appalling, and it is only comparatively recently that lobbying has allowed the ICO to break free of the constraints of civil service pay grades.

Guidance on the ICO helpline has been contradictory in many cases.

Email guidance has been poor. I have seen one query from one of our clients answered by the ICO talking about responding to an SAR within a month and mandating that our client accept scant proof of identity from the requester. The former is incorrect as the SAR arrived in early May (prior to GDPR) and the latter is incorrect because the SAR came from someone who was the recipient of a service from a data controller, our client being a processor. All under DPA (1998) – the guidance was given with no acknowledgement of the date of the request and the appropriate legal basis in operation.

Don’t forget – the ICO also had two years to prepare…

I appreciate that the ICO is cleaning up the older infringements and that these need to be decided. I also understand that they are investigating issues revolving around PECR.

The problem is that we are seeing precisely nothing in the way of guidance and compulsion from the regulator for organisations to follow.

We have all heard the “€20m, 4% of global turnover or €10m, 2% of global turnover…” but these are the extremes. The sanction regime needs to be proportionate and persuasive. Article 58 gives the regulator the opportunity “to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period” (Article 58(2)(d)) – surely there would be no cost to order an organisation to comply? It may save the organisation from being fined.

As it currently stands, the ICO is ineffective. It has not delivered for data subjects. It has not delivered for personal data users. It has not delivered anything other than web-based guidance and some cursory advertisements on the radio about the impending regulation, which started to be aired in – what? – April?

The ICO should direct attention to promoting data protection. It should seek to guide personal data users on their obligations. It should seek to advise data subjects of their rights.

The ICO should seek to do something

I said at the outset that there might be a potential conflict of interest in this piece, due to the services offered by my company.

I am a data subject.

So are you.

I don’t feel that we are being helped by the ICO.

I would be happy to not see a single organisation fined because they realised the potential danger from fines, reputational damage and civil suits and took steps to avoid being placed in that situation.

As it stands, the ICO is doing none of this.

This is my vote of no confidence.

I don’t think that I’m alone in this.

High stakes “Hide and Seek”​?

“That GDPR? All a flash in the pan – flash in the pan – I tells ya!”

Oh dear. I’ve heard this a few times. GDPR and the Data Protection Act (2018) are “this year’s Y2K” – and look what a damp squib that was! – or a vehicle for whiplash claims (pun intended) or a cash-in for companies who previously chased PPI claims.

I have spoken to organisations whose strategy for GDPR is to hope that their competitors have a breach and to swoop in and take their customers.

But how?

How in all that’s holy will that play ever expect to work?

Our competitors breached your data! Come to us – we have no protection for your data either!

Doing nothing is not ‘strategic’. Planning for how to fulfil the legal obligations on your organisation with regards to data protection is a strategy…

Is that enough?

Would that it were. One misguided soul showed me their GDPR ‘strategy’ and after metaphorically blowing the dust off it I asked how far along they were with delivering against the strategy, only to be met with a dumbfounded, “We have a strategy..?!” as thought that was a panacea.

In the event of a data breach, having a rough-hashed plan which was never undertaken would never be enough. It might actually be worse than having nothing, as it shows that instead of ignorance of the law, the organisation had contempt for the law.


It’s fair to say that I have spoken with organisations whose approach to GDPR has been pragmatic, measured and an exercise in professional management of risk. Whilst we can’t earn a bean from them at present, they have shown a willingness to move with the law as it is supported by new case law, so that door isn’t closed and I have to doff my cap to the people running those organisations. It has even changed my buying habits in one instance, such was the commitment to managing my personal data responsibly.

“Show me the money!”

The months leading up to May 25th this year were punctuated by puff-pieces from people who had gained a GDPR qualification the week before and wanted to make ‘bank’ with all of the opportunities that were (supposedly) there. These people have largely moved on to other things, leaving only the committed in the market to offer their consultancy. There is a very small cadre of people whose knowledge and guidance I would (begrudgingly!) wish well if they beat us to a piece of work, but they are already tied into projects. If – as some suspect – a serious fine is handed down from the ICO in the near/mid term, where will organisations whose response to GDPR has been, ahem, “casual” find the knowledgeable resource to help them?

Should I care? It will be a seller’s market – hoorah!

But… There are people’s livelihoods on the line here.

Employees who may find that their employer has imploded because no one told Terry in Marketing not to email everyone’s home address and credit card number to everyone else in the CRM system, or because it’s far cheaper to run the HR system form PyongYang than Peterborough.

A little guidance needn’t cost a fortune. For example, we offer a “GDPR Project Management” service where we only engage with clients when they need guidance in their gap assessment. We do that via video conference or a phone call in order to keep the client’s costs down (plus, there’s no romance for me in staying in a Premier Inn in Swindon) and to ensure that meetings are to-the-point and leave all parties with an up-to-date work package and a deliverable date, so that they can fit this around their day job.

The immediate benefit? They understand why the work is happening and begin to build it into their processes because it is on their mind, rather than Athene Secure swooping in, doing GDPR to them and then leaving the team with a nice report, a set of actions and recommendations and an invoice. They can ask us questions at the meeting and begin to appreciate the obligations which may have never been addressed by their company previously.

As much as I would love to sit in someone’s offices on a day-rate, eating all the biscuits and talking “data protection” there are many organisations who can’t afford (a) a day rate for a few days in order to complete the work and/or (b) to take key employees out of commission to tell me where they store their CVs and to ask whether they need consent to take staff photos at the work’s Christmas do (don’t get me started…)

The GDPR Project Management approach which we call “Chronos” is a pragmatic route to helping companies who have spoken to ‘Peter Practitioner’ and have been offered day rates which are more than some salaried employees earn in a week…

So… Hide and Seek?

It’s not a good approach. Hoping to see competitors hit with a data breach and learning from their experience – not a good approach. For the reasons listed above, simply expecting to vacuum up customers when a competitor struggles is making your organisation more likely to breach.


Because you probably don’t have robust systems in place to support a sudden influx (if you do – congratulations, but – get a second opinion, perhaps?) and if someone is creating ad hoc policy to deal with increased numbers then your “Privacy by design / Privacy by default” is not going to be in evidence.

It may take time, but if the ICO picked your business at random because your industry has shown no interest in data protection as a whole, where can you hide?

What about a customer who believes that you aren’t a good custodian of their personal data? Could your business handle a Subject Access Request. Here’s a clue – lying to a data subject that you don’t hold any personal data on them is never going to be a good idea…

You come to an impasse with an employee. You believe that they don’t possess an alarm clock because their 9am start is often a “best endeavours” and their seat is still stone cold at 9.25am. If they find the contents of their desk in a Pickfords box and they know that your data protection policy is filed in Narnia and your processes are as stable and mature as a fourteen year-old with a bank card and a false id – the whistle-blower could make life very uncomfortable if they can raise sufficient interest at the ICO.

Why not get the right people in now – before you’re having to hire new entrants into the data protection profession who can spell “GDPR” and so think they might like to give it a go for the day-rate?

This isn’t a plea for work. Far from it. It’s a plea for UK Plc to engage with the regulation now and get everything ticking along nicely. Speak to those brave souls who fly the flag for compliance and the regulation. We don’t bite – none of us in the profession. We aren’t even “I told you so” Jobsworths who want to make your life difficult and business impossible.

We have all worked at senior levels and are suitably qualified (I was a Board member at a global organisation and my MBA wasn’t delivered in a cornflakes box – and I’m no ‘Unicorn’ in the profession). There is a pragmatism and a perspective in all of my wider colleagues in the profession which is just praying to help you and to show you that GDPR could actually save you money. We recently saved one company a six-figure sum per year because they needn’t/shouldn’t operate in that way any more and it saved the business a real headache (we really should be on a percentage finder’s fee for these savings..!)

With Brexit and its unknowns looming large next year, doesn’t it make sense to get GDPR out of the way until the next review so that you can work on stocking up on food and medical supplies (as seems to be the thinking at the moment)?

Three blind mice.

Last week featured a number of frustrating meetings. Frustrating – not because they led to zero sales (although that might have been a factor otherwise) – but because it provided a microcosm of the problems being faced by organisations when key decision-makers think they know what they are doing, but patently don’t.

Three blind mice. I’m not seeking to patronise the senior manager of these businesses, but the fact that three of these meetings led to the revelations later in this article leads me to consider the old nursery rhyme:

Three blind mice. Three blind mice.
See how they run. See how they run.
They all ran after the farmer’s wife,
Who cut off their tails with a carving knife,
Did you ever see such a sight in your life,
As three blind mice?

Meeting Number 1 was a company we shall call “Marketing Misdirection.”

On meeting the Head of Marketing, it became apparent that my “service” was simply to endorse their stance on DPA(2018). Okay – second opinion – I get it.

This company still buys in those “Nine million email addresses of key decision-makers!” mailing lists. And uses them. How so? Well, apparently, their legal basis is “Contract”.

I struggled with this, to be honest. After delving into the detail, it transpires that this company believes that they can use Article 6(1)(b) because – paraphrasing – they can “Give our potential customers some fantastic offers that they probably wouldn’t find for themselves!”


I racked my brain for my Law “A” Level studies of <mumble> years ago and, having dismissed Donoghue v. Stephenson, I said that Contract Law is ancient, well-defined and tested, with a lot of precedent. In these circumstances, where is the offer to the data subject? Where is the “consideration and intent to create legal relations”? Where is the consideration? Probably more importantly in this context – where is the acceptance?

I expressed the opinion that they were behaving like someone taking a trolley full of goods out of Sainsburys without paying on the basis that they would fulsomely extol the virtues of Sainsburys and how wonderful they are, in return for a free shopping trip. Wihout Sainsburys’ agreement.

Anything I said was rebuffed with a patronising, “I’ve been in Marketing since I ran the campaign to get animals on a boat, two-by-two and this here GDPR is no different to what has gone before!”

Fines? Loss of reputation? Civil litigation?

“We’re too small to be bothering the privacy police” is a direct quote. Yeah… The farmer’s wife is over there…

Constrain the risk

Company Number 2, who I’ll call “Invisible Paperwork Ltd” told me, with no hint of a joke, that they had decided that the “forty or so” filing cabinets with personnel records were going to be out of scope for them for GDPR. If they stated that the paperwork was out of scope on their audit preparation then they had nothing to worry about.

I wanted to know the location of the filing cabinets because – at that point – I needed something solid to bang my head against.

The farmer’s wife is over there, sir, and she should be on your scope any day now…

Rumpole Rides Again

The final company, who I’ll call “Partner Payout Principle Ltd” got me in for no valid reason I could understand.

Every question was answered with “We have the company’s lawyer on that.”

I respect lawyers – you never know when you might need one on your side. I struggle to see how a lawyer can give an opinion on technical and organisational measures to protect data? I fully appreciate that some legal firms have teamed up with other professionals to offer a full-suite service, incorporating cyber security, marketing advice, employment law advice, operations advice, but “Partner Payout Principle Ltd” was referring to lawyers for legal answers to technical questions.

Apparently, my place in this was “interloper”. As I am not a lawyer, I have no place in working with companies to address DPA(2018) and GDPR.

I tried to re-frame the discussion.

“You have a responsibility for health and safety, don’t you?”

“Yes,” came the reply, smugly.

“Do you call your legal advisors when you need new fire extinguishers?”

“Ha, ha – no! But that’s different.”

“How so? If you break the law there are potentially unlimited fines or custodial sentences for directors? The difference is, you could have disgruntled former employees, unhappy customers, competitors, the regulator’s auditors themselves – all looking to see you in court. Can your lawyers advise you on anti-malware? Do they have any experience in writing processes, defining policies?”

All dismissed.

Now, if they’re happy to spend upwards of £200 per hour on legal advice then, fine. I could save them a lot of money and offer a service based on <mumble> years in data protection and information security. I can offer a “win/win” on implementation and I come from a business background, so I keep an eye on improving the bottom line.

Mr. Manager of “Partner Payout Principle Ltd”- if you look over there, yes – holding the carving knife. Yes – that’s the farmer’s wife…

The moral of the story?

I’m not sure there is one, really. I don’t want to preach or moralise, but I’m seeing a lot of people plumping for one consultant and taking their word verbatim. I’ll bet that anyone with a responsibility to staff will have a smattering of HR knowledge to bring to bear (“Hi, welcome to the job interview. Are you planning to start a family any time soon?”!!!!!!), some H&S knowledge and knowledge of the laws pertaining to their industry sector. Cool. Love it.

With this regulation so fresh on the statute books, it might be worthwhile canvassing opinion and getting an understanding of the headline facts about data protection and privacy as it applies to a particular industry. When I’m working with a client I welcome them speaking to other practitioners because it:

  • shows that the client is developing an interest in the subject, not just paying lip-service (which will be found out, sooner or later)
  • shows a fundamental desire to protect the organisation at hand
  • gives me an opportunity to address immediate concerns and discern exactly where the client is uncomfortable, thereby giving me a chance to inform and deal with those concerns
  • Shock! Horror! Terrible admission to make! I don’t know everything and a valuable third-party input enlightens everyone (anyone who says that they do know everything? Yeah… Jog on)

One thing that has left me mystified, though, is the fact that these three blind mice called me in with (apparently) no intention of engaging our service? Who operates like that in the real world?

Hi, yes, is this Beryl’s Double Glazing? Yeah, great. Look – I live in a fourth floor flat in a high-rise and I was wondering if you could come round and give me a quote on a conservatory leading off from my lounge? Hello..? Hello..?

There are none so blind as those who will not see…

“Polite Conversation.”Jonathan Swift, 1738.

…I wonder if the farmer’s wife was ever referred to as “Elizabeth”?

Say what you want, but some people AREN’T your friends…

After the quick-fix, “Buy my solution, it’s the best-est on the market”, doom-laden commentators who were talking about €20m and 4% fines prior to 25th May 2018 we find ourselves in an environment where the pendulum has swung completely the opposite way.

I have seen several people commending businesses for scaling back their preparations for GDPR and Data Protection Act (2018) because it impacts the bottom line positively to take the apparent cost of compliance out of the business.

Further, I have seen so-called experts saying that the ICO won’t fine businesses because they didn’t fine many businesses under Data Protection Act (1998)… What they seemingly always fail to mention is that there is a mandatory obligation to report breaches (with certain caveats from the ICO) which didn’t exist under the previous legal framework.

Liars, fools and charlatans…

This sort of thing makes my blood boil. Of course, you may suggest that these people are being pragmatic and that they are potentially undermining a central plank of my business. Fine…

In that light, taking their lead, I would suggest that other ways to save money include:

  • pulling out all of your Health and Safety protections – that’ll positively affect the bottom line in the short term!
  • contacting your accountant and either firing them or stopping their service – that’ll positively affect the bottom line – fewer salaries!
  • Firing your auditors – another cost-saving!
  • Cancelling your insurances – what a tremendous saving that will be!
  • Getting rid of your entire compliance function – they’re just another unnecessary overhead!


All of those ploys only work right up until the point something goes wrong.

  • Someone has an accident and you have to explain to the HSE that the lack of warning signs for a slippery floor was a cost-saving exercise.
  • Someone dies on a building site because they had no personal protective equipment as the result of a cost-saving measure. “Corporate Manslaughter” – much?
  • Your accounts aren’t audited and your tax returns are wrong, leading to sanctions for directors and the HMRC turning up wearing latex gloves and telling you to “assume the position”.

None of those ideas make any sense when the organisation has a legal requirement to comply.

Guess what?

DPA (2018) is in force now. Organisations must comply if they are handling personal data. Data breaches (with certain limited, generally-defined exceptions from the ICO) must be reported – it’s mandatory within the aforementioned parameters.

Article 4(12) of the General Data Protection Regulation defines a data breach as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Organisations need to achieve a defensible position. Having the necessary processes, policies and training in place is a bit of a hill to climb, admittedly, for some organisations who may have dismissed the Data Protection Act (1998) as a bit of a joke, or were simply unaware.

DPA (2018) isn’t a joke.

Trying to hide behind some idiot’s statistics about the likelihood of being audited or breached is no better than putting your fingers in your ears and shouting “Blah, blah, blah!” at the top of your voice, hoping that the challenge will go away. You may have a data breach. You may have a customer with an axe to grind and data protection is the grinding wheel they can use most freely and effectively.

Having no preparation in place is like having no insurance.

Both could potentially lead to your business disappearing.

You may not get data protection right, one hundred percent.

Someone way cleverer than me said that GDPR preparation for audit is like a maths exam question. Show that you’ve tried a pragmatic approach to the problem. You may get the wrong result, but the ICO will look more favourably on your particular circumstances than if you were to say “Well, this bloke on the internet said that we were statistically unlikely to be breached or hassled by data subjects, so we didn’t bother to do anything…”

The chances of being audited out-of-the-blue are minuscule-to-non-existent, yes. The chances of your business upsetting a customer, who runs into the arms of a “no win/no fee” solicitor? Quite a lot higher. These are the “freak accidents” which good preparation helps to mitigate.

These people who are saluting organisations which are disassembling their GDPR preparations or advising that no one will be fined so you shouldn’t bother preparing for the regulation? Do you seriously think that they will pitch in and help if anything happens and their advice is proven to be the mindless bulls*** that it undoubtedly is?

Of course they won’t.

They’ve proven by their moronic proclamations that they have no place advising anyone on anything in the corporate world.

If you have a problem, they will have disappeared (much like your professional standing) if you’re in the unfortunate position of proving that their statistics and short-termist view of data protection is entirely wrong.

Some people aren’t your friends, regardless of how comfortable they make you feel when they tell you that it’s okay to ignore your legal responsibilities and ignore common sense precautions, in the light of a new piece of legislation which can come with severe sanctions and obligations…

I’m most probably not your friend, either.

Well, possibly not yet.

But… Sometimes it’s easier to tell your secrets to a stranger. The difference between me and these bozos I’ve described is that I stand by my advice, it is based on years of professional experience.

I don’t need to “showboat” to the masses to get attention.

People can easily find me if anything goes wrong.

I see the value in compliance and protection – that’s why I have professional indemnity insurance. I wonder how many of these other “friends” have got rid of that to save money?

I’d wager – none. They will all have their backsides covered. And yet – they’re advising you not to?

Some people aren’t your friends.

The people giving you idiotic guidance aren’t even your enemies.

Most often, they’re just attention-seeking hypocrites.

A little creative thinking?

I, for one, am sick to death with the negativity around GDPR. I am challenging myself to write a regular piece about the benefits of GDPR (of which there are many).

I reiterate; I, for one, am sick to death with the negativity around GDPR.

Further, I am aggravated by newly-minted data privacy ‘consultants’ prefixing every comment with “Ah… But – €20m…” with a sly, knowing wink as shorthand for “I am about to invoice you to hell for consultancy of dubious quality…”

One of the areas which has raised my ire in recent weeks is the plaintive cry that ‘that nasty EU is depriving people in Marketing’ of the use of private data, namely email addresses.

I appreciate that email dates back to the mid-90’s as a usable tool for addressing prospects and customers, but it has been used lazily, it has been used by spammers and it has been used as a shield against actually having to understand customers.

“You can’t take my contacts list!”

… a comment I’ve heard on a number of occasions.

Why? Why not? I’ve yet to come across anyone (myself included) who curates their personal contacts list to see whether it is still accurate and valid, to see whether people whose business cards seemingly appeared from the ether in my wallet still want to contact me, or for me to contact them.

GDPR is like the responsible adult telling unruly children that pulling Jennifer’s ponytail isn’t nice and that Brian is just as capable of kicking a football as anyone else, even though his trainers are not “dope” (that’s me getting “Home with the downies” in terms of current hip slang… I’m sure I left my coat around here somewhere…)

For those who cling to their 2,000/20,000/10,000,000 email addresses in the contacts list, the barrier to entry for advertising ‘stuff’ has simply been adding those addresses to a CC: list in order to flog something (hopefully, BCC, so that we aren’t sharing everyone’s email address).

Bringing in a regulation that demands that people, y’know, actually take care of someone else’s personal data is way overdue.

Anyone crying that their world is coming to an end, take it from someone who (gasp!) was working before the Internet came into operation – people sold stuff very successfully prior to the advent of email. No one wandered into a shop and inexplicably walked out with the keys to a Morris Marina and a ticket on Concorde to New York. People saw – and responded in their multitudes – to undirected advertising. And they bought things.

The first person to buy an IBM PC didn’t buy it in response to an email.

What seems to be missing here is an appreciation that advertising works. Good advertising works wonders. Older readers will remember “Go to work on an egg” or “Naughty, but nice” – taglines which even now conjure up images of the Egg Marketing Board and fresh cream cakes.

“Naughty, but nice” was a phrase created by Salman Rushdie for Ogilvy and Mather, so it’s obviously not just a case of throwing words together and praying…

How many people can remember an email from ten years ago – ten weeks even – which caught the attention so vividly and burned a message in to a huge audience?

Don Draper? We need you!

Will GDPR see the re-elevation of the advertising agency? I think that there may be an opportunity for people who have relied on the easy route of blasting out email to engage with a market which has proved, time and again, to be suckers for a good advertising campaign. It doesn’t have to be an expensive, Saatchi mini-epic featuring A-list celebrities in order to get attention, as evidenced by:


You buy one, you get one free! I said – you buy one, you get one free!

Regardless of your views on double-glazing, the advertising campaign for SafeStyle Windows stuck in the memory through TV, radio and newspaper adverts. Their emails? Straight to junk mail.

It is often (incorrectly) quoted that the Chinese have the same word for “Crisis” and “Opportunity”. I believe that there is a huge swell of people who are in crisis mode and not looking at the opportunities which can come from changing tack.

The hit rate for email marketing is neither here nor there with GDPR as it offers pitfalls around consent and legitimate interest, which anyone with any reason will seek to avoid.

Place an advert. Let people come to you. They are self-selecting leads and – they have made a soft opt-in to your advertising campaign!

What about if no one responds? Well, would they have responded to an email? Is your advertising any good? Is your product any good?

The era of mass emailing people who may have glanced at a web page will soon be gone.

My advice – for what it’s worth – is to go for undirected advertising, make the adverts interesting, attractive and engaging and let potential leads show themselves.

These adverts will be more valuable than the reputation-rubbishing effect of sending spam to someone every twenty minutes. I know companies from whom I wouldn’t buy a lifebelt in a flood because of the way they throw crap messaging at me through any means to get to my mailbox.

Mass advertising, to reach a wider audience… who might buy something.

It does what it says on the tin.

It Shouldn’t Be A Fight

Going by the content generated on LinkedIn, GDPR is prompting adverts for services and software, often ill-informed arguments over the minutiae of subsections of the regulation and an unseemly rush to promote oneself as the go-to guy/gal for GDPR regulation.

Discussions on various forum have descended into vitriolic exchanges as people jostle for position to be seen to be an authority on the subject. It seems as though people are seeing the regulation as a zero-sum game for the individuals and organisations seeking to develop the market for consultancy services or tin-shifting.

Perhaps this was all predictable. We have the EU on one side, raising the bar for penalties for organisations playing fast-and-loose with data subjects’ digital identities, a large cohort of organisations trying to remain profitable in the falling ash of the credit crunch with, seemingly, little time to absorb, understand and act on the new regulation, and a market which had been hankering for the next Millennium Bug as a ‘hanger’ on which to sell services or tools.

Regulation is a fact of life. No one consciously thinks on a perpetual basis about the regulations which shape our modern world as we absorb their strictures almost by osmosis.

This privacy regulation arrived on May 2018 and there has been all manner of fall-out from it, some informative, some counter-intuitive and some… just plainly bizarre.

Instead of wasting energy in jockeying for position in the market, we would be better served by sharing information.

It is a huge market.


There is a phenomenal shortfall in suitably-equipped advisers to steer business through. Instead of bickering with people who are potentially equally as ill-informed, why not share information, guidance and thoughts in order to raise the bar for everyone?

This unseemly battle for top-billing is a side-show for the desperate, and should be dismissed as such.