Humble Suggestions

I am on record as having a very poor view of the ICO. I don’t believe that they are fulfilling their Article 57 requirement to “monitor and enforce the application of this Regulation” (Art.57 (1)(a)) or in their responsibility to “promote the awareness of controllers and processors of their obligations under this Regulation” (Art. 57(1)(d)).

It’s easy to keep taking pot shots, but I think it’s better to try to share suggestions for improvement so here’s my take on some positive, practical suggestions to try to help the ICO to fulfil its mandate.

My main concern is that some of these suggestions might already be happening, however, I have worked in data protection sufficiently long to know that if I haven’t heard of these things happening then it may not entirely be my fault. There is a problem of communication from the ICO; hence the issues with the purportedly large numbers of organisations which haven’t completed their compliance efforts.


I think that there are a number of things which could be done to improve the current situation, but they have to be predicated on ‘education’ first and foremost.

It would be iniquitous – even this late in the process – for the ICO to hammer organisations with sanctions when the advertisement around GDPR was originally mostly based on scare tactics from the “snake oil” merchants. or vendors inflating their prices in what they perceived to be a “boom” period for their products. Organisations have often reacted to the interpretation of the law from a vendor with something to sell rather than objective guidance from the regulator.

I appreciate that market forces will always come into play in situations such as this, but these forces need to be tempered by an informed marketplace; the information asymmetry  around regulatory expectations meant that those organisations which tried to comply often had their fingers expensively burned on sub-par advice from newly-minted “experts” or systems which had “GDPR” tacked onto them and which didn’t deliver anything to support the organisation’s compliance efforts.

Is it any wonder that some organisations have adopted the approach that they can prove that they have spent good money and are now unwilling to see whether it has helped them to protect their businesses?

UK businesses have had nearly two-and-a-half years to comply with the regulation, but the Press suggests that those in a state of compliance are still in the minority.

It appears that the ICO is under-funded. It would be a waste of resource to undertake a media campaign this late into the process. What the ICO lacks in funds they no longer lack in staff. The regulator employs nearly 700 staff (from a low of around 150). Complaints have arisen about the quality of advice from ICO staff, so this suggestion helps to address both sides of the education coin.


Engage with trade groups (Chambers of Commerce, Federation of Small Businesses, SRA, CBI possibly) and social organisations (religious groups, sports associations, etc) and offer free seminars on what the ICO expects to see from organisations.

This would comparatively cost very little and would be seen as a gentle reminder to those businesses which haven’t fulfilled their legal obligations. From recent surveys, this would be the majority.

Make this a regular arrangement so that no one can say that they weren’t warned.

Advise these organisations that the threat of sanction is real, but deliver the message in a balanced, sensible way so that there is no sales pressure behind it – just a statement of fact from the UK’s data protection authority.


Offer a select number of volunteer attendees an amnesty in exchange for an audit on a time-limited basis. This would be no different from the regular “no questions asked” knife and gun amnesties which the police sometimes offer. Offer companies a six-month period to volunteer for an audit and select a good representative group.

After six months, the amnesty ends. Those who were audited will have directly-applicable information to improve their data handling. Others in that particular industry could review the audit and learn from that. Anyone else? Well… You had your chance.

An audit within an amnesty would help businesses to understand what their responsibilities are (without fear) and would give some of the ICO staff an opportunity to get some (much needed) real-world experience.

The price of the audit would be to speak at a future engagement event (FSB, CBI, etc.) to describe what was involved, some of the issues discovered and what treatments were recommended. A story, told by a peer, is going to have more weight than any sales pitch from a vested interest.

A “finger in the air” idea of the cost of a fine for the audit (if there is a transgression) would also make data protection fines more “real” to attendees. This would also help to fulfil the Art.83(1) requirement on the ICO that “the imposition of administrative fines… shall in each individual case be effective, proportionate and dissuasive.”

Having an actual financial figure for an audit outcome would enable organisation leaders to gauge what the cost/benefit would be, if only in purely financial terms for the fine. They would, presumably, be well enough acquainted with their own industry to know what sort of reputational damage may occur and the potential number of data subjects’ civil claims.

A general list of easy wins would help organisations to make small but potentially high-impact changes to their operations in order to protect data subjects.


Purely from a user experience perspective – please change the website.  I often hear other practitioners say, “But – all of the information is on the website?!”


Taking a step back and looking at the site from a non-practitioner perspective, it doesn’t deliver. It should offer more content dealing with the generalities of compliance so that organisation leaders can actually understand what is required. The website for CERN’s Large Hadron Collider is engaging, despite the fact that it deals with matters (and “anti-matters”?!) which are massively outside of a normal person’s scope of understanding.

If the ICO undertook the “Education” and “Amnesty” route, outlined above, there would be a wealth of industry-specific information to build into the real-world expression of how the regulation operates.

…and there are plenty of “royalty-free” pictures available in order to brighten up the page and make it more welcoming the passing visitor.


I have said this elsewhere, but there needs to be evidence of the ICO in operation amongst the types of businesses which aren’t going to attend industry groups such as the FSB or CBI. These organisations are likely to be the type which see the Data Protection Act (2018) as something which concerns other people, not them.

I visited a website a short time ago which said that the site was run under the guidelines of the Data Protection Act (1998) and by submitting my personal data I was agreeing to marketing materials being sent to me.

Surely, this is an “open and shut case” that this organisation is ignoring their legal responsibilities?

I phoned the ICO. I was told to report it to the website owner and – if I’d had no response within 28 days – to come back to the ICO and “We’ll see what we can do about it.”

Totally unacceptable.

If I saw someone throw a brick through a shop window, I would call the police with a description of the individual, the time of the offence and any associated information and let them deal with it.

If I saw someone pouring oil into a stream, I would contact the environmental health services with as much evidence as I could gather and let them deal with it.

If I disagreed with a government policy, I would make my case to my local MP, who should speak on my behalf.

I had given the ICO person on the phone the URL of the website and the wording of the message, but they expected me to pursue this on behalf of all of the other data subjects who would be affected. Whatever happened to the ICO’s Article 57 (1)(a) responsibilities around monitoring and enforcement?


Presumably, the ICO has a case management system for investigations.

When a data subject calls with a prima facie case where an organisation is in breach there may not be enough resource to don the blue “ICO Enforcement” jackets and wade into the head office of the organisation (or enough of a reason).

My complaint – and I’ve heard this from others – is that no record was made of my report. If a case file was opened then it could be used to gather evidence, or even mitigation to show that the organisation is receiving complaints from mischievous and malcontent data subjects.

If a growing body of complaints suggested that a company was ignoring their responsibilities within the regulation then the ICO could act. Send an email, make a phone call – anything – to advise the organisation that their behaviour isn’t what is expected.

Ultimately, this is to protect the data subject. It is also to enforce the regulation. It is a manifest example of the ICO engaging with organisations and advising them.

The more egregious breaches should be investigated quickly and the ICO should not be frightened to enforce the cessation of processing. Draconian? Why? It’s within the regulator’s powers and if it protects data subjects – how can that be wrong? It would also get the message out that data protection is an important factor in modern life.

The ICO can’t parade all of their work with Cambridge Analytica and Facebook and then expect people to accept that their banking details or health matters are “fair game” because no one at the ICO took the effort to record early warnings of serious transgression.

For the more mundane and less serious issues, a formal notification that the ICO is aware of the organisation’s operation would be a decent shot across the bows in order to suggest more work needs to be done to address shortcomings in the organisation’s stance on data protection.

Taking this approach would fulfil the ICO’s Art.57(1)(a) responsibilities to some extent. It would also bring data protection into a position with some context and it would further serve to underpin the ICO as a regulator in the minds of data subjects everywhere.



It might be easier to solve the issues around an absence of engagement from the regulator if there was a bottomless pit of money. Back in the real world, this isn’t going to happen.

I have tried to outline some low cost, high impact strategies which would enable the ICO to fulfil its legal responsibilities and – first and foremost – protect the data subject.

I don’t believe that at any point I have used this article to try to create further business directly for data protection practitioners. With a strong, fair regulator, there is no reason to artificially create a market for data protection practitioners. An informed market is better for everyone and would avoid organisations making purchases more in hope than expectation.

Where is the ICO?

I must confess a potential conflict of interest in that I am a director of a company which provides data protection advice (along with cyber security and other services), so this will probably come across as self-serving, however – I’m a data subject just as you are.

We find ourselves five months into the General Data Protection Regulation in Europe, in general, and the Data Protection Act (2018) in the UK, particular.

Has there been any instance in the UK of an organisation being fined under the new regulation?

We have seen Facebook fined for offences under the previous Data Protection Act (1998) and fines apportioned, commensurate with that regulation and this is entirely understandable, as the activities occurred and were reported under that law.

What of the new Data Protection Act?


There is no guidance for organisations, based on adjudications from the regulator. Not one organisation has been censured for their poor handling of personal data and so there is a growing feeling – almost a certainty – that the regulation is toothless. The regulator, especially so.

Why should any organisation spend a solitary penny on compliance when there is not even a threat of sanction? Where is the protection of the data subject, driven by expected data protection practices? There seem to be no additional protections driven by the regulation over and above the former Data Protection Act?

This is an interesting situation. We are now in a position where organisations can be found to be manifestly falling short of the requirements of the regulation wherever they collect personal data. Every organisation which captures personal data has an Article 13 obligation to explain how the data is to be used, on what legal basis, where the data will be processed and by whom.

In speaking with peers in the world of data protection it seems that boilerplate text, copied after a cursory Google search, seems to be the order of the day. These privacy notices fall short of the requirements of the regulation and are a manifest example of an organisation’s failure to adopt the requirements of the regulation.

Surely, these instances would be easy to sanction?

I can fully appreciate that an audit, commenced on the 23rd May 2018 when DPA(2018) came into force, would most probably still be under investigation. Expecting the ICO to produce a report on an organisation within six months of the regulation coming into force is naïve, but the tools to compel organisations to meet their obligations are in place.

I’m led to believe that the ICO is receiving complaints from data subjects and that these are being logged and marked for investigation.

Elizabeth Denham has already intimated that the first effort of the ICO will be to educate, inform and guide towards compliance. Laudable. Not happening.

It would be the work of a matter of moments for a review of a website to see if there is a privacy notice and whether it would pass muster. An email to the organisation, outlining that they are under complaint and that first indications suggest that their data protection isn’t as expected, would be an excellent driver for organisations to pursue some sort of conformance with the requirements of DPA(2018). It would also serve to prevent a financial sanction, as the organisation would be building their defensible position prior to the audit; their mitigation would be being built and their potential fine lowered.

As it stands, the ICO is not serving anyone.

The data subject has to wait for their “day in court”. The organisation, which may be investigated with no prior warning, has no preparation in place. The ICO has stretched resources, so the situation is prolonged.

With no compulsion from the regulator, organisations (on the whole) will do nothing. Why spend £1000 in protection when the fine may never come along or be a fraction of the cost of compliance. It doesn’t make business sense.

This leaves us in the situation where we have a data protection regulation which isn’t protecting data subjects’ data.

We have had two years, from April 2016, for the regulation to be embedded and for organisations to be protecting person data.

Where was the leadership from the regulator?

Where was the preparation from the regulator? Salaries were appalling, and it is only comparatively recently that lobbying has allowed the ICO to break free of the constraints of civil service pay grades.

Guidance on the ICO helpline has been contradictory in many cases.

Email guidance has been poor. I have seen one query from one of our clients answered by the ICO talking about responding to an SAR within a month and mandating that our client accept scant proof of identity from the requester. The former is incorrect as the SAR arrived in early May (prior to GDPR) and the latter is incorrect because the SAR came from someone who was the recipient of a service from a data controller, our client being a processor. All under DPA (1998) – the guidance was given with no acknowledgement of the date of the request and the appropriate legal basis in operation.

Don’t forget – the ICO also had two years to prepare…

I appreciate that the ICO is cleaning up the older infringements and that these need to be decided. I also understand that they are investigating issues revolving around PECR.

The problem is that we are seeing precisely nothing in the way of guidance and compulsion from the regulator for organisations to follow.

We have all heard the “€20m, 4% of global turnover or €10m, 2% of global turnover…” but these are the extremes. The sanction regime needs to be proportionate and persuasive. Article 58 gives the regulator the opportunity “to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period” (Article 58(2)(d)) – surely there would be no cost to order an organisation to comply? It may save the organisation from being fined.

As it currently stands, the ICO is ineffective. It has not delivered for data subjects. It has not delivered for personal data users. It has not delivered anything other than web-based guidance and some cursory advertisements on the radio about the impending regulation, which started to be aired in – what? – April?

The ICO should direct attention to promoting data protection. It should seek to guide personal data users on their obligations. It should seek to advise data subjects of their rights.

The ICO should seek to do something

I said at the outset that there might be a potential conflict of interest in this piece, due to the services offered by my company.

I am a data subject.

So are you.

I don’t feel that we are being helped by the ICO.

I would be happy to not see a single organisation fined because they realised the potential danger from fines, reputational damage and civil suits and took steps to avoid being placed in that situation.

As it stands, the ICO is doing none of this.

This is my vote of no confidence.

I don’t think that I’m alone in this.

High stakes “Hide and Seek”​?

“That GDPR? All a flash in the pan – flash in the pan – I tells ya!”

Oh dear. I’ve heard this a few times. GDPR and the Data Protection Act (2018) are “this year’s Y2K” – and look what a damp squib that was! – or a vehicle for whiplash claims (pun intended) or a cash-in for companies who previously chased PPI claims.

I have spoken to organisations whose strategy for GDPR is to hope that their competitors have a breach and to swoop in and take their customers.

But how?

How in all that’s holy will that play ever expect to work?

Our competitors breached your data! Come to us – we have no protection for your data either!

Doing nothing is not ‘strategic’. Planning for how to fulfil the legal obligations on your organisation with regards to data protection is a strategy…

Is that enough?

Would that it were. One misguided soul showed me their GDPR ‘strategy’ and after metaphorically blowing the dust off it I asked how far along they were with delivering against the strategy, only to be met with a dumbfounded, “We have a strategy..?!” as thought that was a panacea.

In the event of a data breach, having a rough-hashed plan which was never undertaken would never be enough. It might actually be worse than having nothing, as it shows that instead of ignorance of the law, the organisation had contempt for the law.


It’s fair to say that I have spoken with organisations whose approach to GDPR has been pragmatic, measured and an exercise in professional management of risk. Whilst we can’t earn a bean from them at present, they have shown a willingness to move with the law as it is supported by new case law, so that door isn’t closed and I have to doff my cap to the people running those organisations. It has even changed my buying habits in one instance, such was the commitment to managing my personal data responsibly.

“Show me the money!”

The months leading up to May 25th this year were punctuated by puff-pieces from people who had gained a GDPR qualification the week before and wanted to make ‘bank’ with all of the opportunities that were (supposedly) there. These people have largely moved on to other things, leaving only the committed in the market to offer their consultancy. There is a very small cadre of people whose knowledge and guidance I would (begrudgingly!) wish well if they beat us to a piece of work, but they are already tied into projects. If – as some suspect – a serious fine is handed down from the ICO in the near/mid term, where will organisations whose response to GDPR has been, ahem, “casual” find the knowledgeable resource to help them?

Should I care? It will be a seller’s market – hoorah!

But… There are people’s livelihoods on the line here.

Employees who may find that their employer has imploded because no one told Terry in Marketing not to email everyone’s home address and credit card number to everyone else in the CRM system, or because it’s far cheaper to run the HR system form PyongYang than Peterborough.

A little guidance needn’t cost a fortune. For example, we offer a “GDPR Project Management” service where we only engage with clients when they need guidance in their gap assessment. We do that via video conference or a phone call in order to keep the client’s costs down (plus, there’s no romance for me in staying in a Premier Inn in Swindon) and to ensure that meetings are to-the-point and leave all parties with an up-to-date work package and a deliverable date, so that they can fit this around their day job.

The immediate benefit? They understand why the work is happening and begin to build it into their processes because it is on their mind, rather than Athene Secure swooping in, doing GDPR to them and then leaving the team with a nice report, a set of actions and recommendations and an invoice. They can ask us questions at the meeting and begin to appreciate the obligations which may have never been addressed by their company previously.

As much as I would love to sit in someone’s offices on a day-rate, eating all the biscuits and talking “data protection” there are many organisations who can’t afford (a) a day rate for a few days in order to complete the work and/or (b) to take key employees out of commission to tell me where they store their CVs and to ask whether they need consent to take staff photos at the work’s Christmas do (don’t get me started…)

The GDPR Project Management approach which we call “Chronos” is a pragmatic route to helping companies who have spoken to ‘Peter Practitioner’ and have been offered day rates which are more than some salaried employees earn in a week…

So… Hide and Seek?

It’s not a good approach. Hoping to see competitors hit with a data breach and learning from their experience – not a good approach. For the reasons listed above, simply expecting to vacuum up customers when a competitor struggles is making your organisation more likely to breach.


Because you probably don’t have robust systems in place to support a sudden influx (if you do – congratulations, but – get a second opinion, perhaps?) and if someone is creating ad hoc policy to deal with increased numbers then your “Privacy by design / Privacy by default” is not going to be in evidence.

It may take time, but if the ICO picked your business at random because your industry has shown no interest in data protection as a whole, where can you hide?

What about a customer who believes that you aren’t a good custodian of their personal data? Could your business handle a Subject Access Request. Here’s a clue – lying to a data subject that you don’t hold any personal data on them is never going to be a good idea…

You come to an impasse with an employee. You believe that they don’t possess an alarm clock because their 9am start is often a “best endeavours” and their seat is still stone cold at 9.25am. If they find the contents of their desk in a Pickfords box and they know that your data protection policy is filed in Narnia and your processes are as stable and mature as a fourteen year-old with a bank card and a false id – the whistle-blower could make life very uncomfortable if they can raise sufficient interest at the ICO.

Why not get the right people in now – before you’re having to hire new entrants into the data protection profession who can spell “GDPR” and so think they might like to give it a go for the day-rate?

This isn’t a plea for work. Far from it. It’s a plea for UK Plc to engage with the regulation now and get everything ticking along nicely. Speak to those brave souls who fly the flag for compliance and the regulation. We don’t bite – none of us in the profession. We aren’t even “I told you so” Jobsworths who want to make your life difficult and business impossible.

We have all worked at senior levels and are suitably qualified (I was a Board member at a global organisation and my MBA wasn’t delivered in a cornflakes box – and I’m no ‘Unicorn’ in the profession). There is a pragmatism and a perspective in all of my wider colleagues in the profession which is just praying to help you and to show you that GDPR could actually save you money. We recently saved one company a six-figure sum per year because they needn’t/shouldn’t operate in that way any more and it saved the business a real headache (we really should be on a percentage finder’s fee for these savings..!)

With Brexit and its unknowns looming large next year, doesn’t it make sense to get GDPR out of the way until the next review so that you can work on stocking up on food and medical supplies (as seems to be the thinking at the moment)?

Three blind mice.

Last week featured a number of frustrating meetings. Frustrating – not because they led to zero sales (although that might have been a factor otherwise) – but because it provided a microcosm of the problems being faced by organisations when key decision-makers think they know what they are doing, but patently don’t.

Three blind mice. I’m not seeking to patronise the senior manager of these businesses, but the fact that three of these meetings led to the revelations later in this article leads me to consider the old nursery rhyme:

Three blind mice. Three blind mice.
See how they run. See how they run.
They all ran after the farmer’s wife,
Who cut off their tails with a carving knife,
Did you ever see such a sight in your life,
As three blind mice?

Meeting Number 1 was a company we shall call “Marketing Misdirection.”

On meeting the Head of Marketing, it became apparent that my “service” was simply to endorse their stance on DPA(2018). Okay – second opinion – I get it.

This company still buys in those “Nine million email addresses of key decision-makers!” mailing lists. And uses them. How so? Well, apparently, their legal basis is “Contract”.

I struggled with this, to be honest. After delving into the detail, it transpires that this company believes that they can use Article 6(1)(b) because – paraphrasing – they can “Give our potential customers some fantastic offers that they probably wouldn’t find for themselves!”


I racked my brain for my Law “A” Level studies of <mumble> years ago and, having dismissed Donoghue v. Stephenson, I said that Contract Law is ancient, well-defined and tested, with a lot of precedent. In these circumstances, where is the offer to the data subject? Where is the “consideration and intent to create legal relations”? Where is the consideration? Probably more importantly in this context – where is the acceptance?

I expressed the opinion that they were behaving like someone taking a trolley full of goods out of Sainsburys without paying on the basis that they would fulsomely extol the virtues of Sainsburys and how wonderful they are, in return for a free shopping trip. Wihout Sainsburys’ agreement.

Anything I said was rebuffed with a patronising, “I’ve been in Marketing since I ran the campaign to get animals on a boat, two-by-two and this here GDPR is no different to what has gone before!”

Fines? Loss of reputation? Civil litigation?

“We’re too small to be bothering the privacy police” is a direct quote. Yeah… The farmer’s wife is over there…

Constrain the risk

Company Number 2, who I’ll call “Invisible Paperwork Ltd” told me, with no hint of a joke, that they had decided that the “forty or so” filing cabinets with personnel records were going to be out of scope for them for GDPR. If they stated that the paperwork was out of scope on their audit preparation then they had nothing to worry about.

I wanted to know the location of the filing cabinets because – at that point – I needed something solid to bang my head against.

The farmer’s wife is over there, sir, and she should be on your scope any day now…

Rumpole Rides Again

The final company, who I’ll call “Partner Payout Principle Ltd” got me in for no valid reason I could understand.

Every question was answered with “We have the company’s lawyer on that.”

I respect lawyers – you never know when you might need one on your side. I struggle to see how a lawyer can give an opinion on technical and organisational measures to protect data? I fully appreciate that some legal firms have teamed up with other professionals to offer a full-suite service, incorporating cyber security, marketing advice, employment law advice, operations advice, but “Partner Payout Principle Ltd” was referring to lawyers for legal answers to technical questions.

Apparently, my place in this was “interloper”. As I am not a lawyer, I have no place in working with companies to address DPA(2018) and GDPR.

I tried to re-frame the discussion.

“You have a responsibility for health and safety, don’t you?”

“Yes,” came the reply, smugly.

“Do you call your legal advisors when you need new fire extinguishers?”

“Ha, ha – no! But that’s different.”

“How so? If you break the law there are potentially unlimited fines or custodial sentences for directors? The difference is, you could have disgruntled former employees, unhappy customers, competitors, the regulator’s auditors themselves – all looking to see you in court. Can your lawyers advise you on anti-malware? Do they have any experience in writing processes, defining policies?”

All dismissed.

Now, if they’re happy to spend upwards of £200 per hour on legal advice then, fine. I could save them a lot of money and offer a service based on <mumble> years in data protection and information security. I can offer a “win/win” on implementation and I come from a business background, so I keep an eye on improving the bottom line.

Mr. Manager of “Partner Payout Principle Ltd”- if you look over there, yes – holding the carving knife. Yes – that’s the farmer’s wife…

The moral of the story?

I’m not sure there is one, really. I don’t want to preach or moralise, but I’m seeing a lot of people plumping for one consultant and taking their word verbatim. I’ll bet that anyone with a responsibility to staff will have a smattering of HR knowledge to bring to bear (“Hi, welcome to the job interview. Are you planning to start a family any time soon?”!!!!!!), some H&S knowledge and knowledge of the laws pertaining to their industry sector. Cool. Love it.

With this regulation so fresh on the statute books, it might be worthwhile canvassing opinion and getting an understanding of the headline facts about data protection and privacy as it applies to a particular industry. When I’m working with a client I welcome them speaking to other practitioners because it:

  • shows that the client is developing an interest in the subject, not just paying lip-service (which will be found out, sooner or later)
  • shows a fundamental desire to protect the organisation at hand
  • gives me an opportunity to address immediate concerns and discern exactly where the client is uncomfortable, thereby giving me a chance to inform and deal with those concerns
  • Shock! Horror! Terrible admission to make! I don’t know everything and a valuable third-party input enlightens everyone (anyone who says that they do know everything? Yeah… Jog on)

One thing that has left me mystified, though, is the fact that these three blind mice called me in with (apparently) no intention of engaging our service? Who operates like that in the real world?

Hi, yes, is this Beryl’s Double Glazing? Yeah, great. Look – I live in a fourth floor flat in a high-rise and I was wondering if you could come round and give me a quote on a conservatory leading off from my lounge? Hello..? Hello..?

There are none so blind as those who will not see…

“Polite Conversation.”Jonathan Swift, 1738.

…I wonder if the farmer’s wife was ever referred to as “Elizabeth”?

Say what you want, but some people AREN’T your friends…

After the quick-fix, “Buy my solution, it’s the best-est on the market”, doom-laden commentators who were talking about €20m and 4% fines prior to 25th May 2018 we find ourselves in an environment where the pendulum has swung completely the opposite way.

I have seen several people commending businesses for scaling back their preparations for GDPR and Data Protection Act (2018) because it impacts the bottom line positively to take the apparent cost of compliance out of the business.

Further, I have seen so-called experts saying that the ICO won’t fine businesses because they didn’t fine many businesses under Data Protection Act (1998)… What they seemingly always fail to mention is that there is a mandatory obligation to report breaches (with certain caveats from the ICO) which didn’t exist under the previous legal framework.

Liars, fools and charlatans…

This sort of thing makes my blood boil. Of course, you may suggest that these people are being pragmatic and that they are potentially undermining a central plank of my business. Fine…

In that light, taking their lead, I would suggest that other ways to save money include:

  • pulling out all of your Health and Safety protections – that’ll positively affect the bottom line in the short term!
  • contacting your accountant and either firing them or stopping their service – that’ll positively affect the bottom line – fewer salaries!
  • Firing your auditors – another cost-saving!
  • Cancelling your insurances – what a tremendous saving that will be!
  • Getting rid of your entire compliance function – they’re just another unnecessary overhead!


All of those ploys only work right up until the point something goes wrong.

  • Someone has an accident and you have to explain to the HSE that the lack of warning signs for a slippery floor was a cost-saving exercise.
  • Someone dies on a building site because they had no personal protective equipment as the result of a cost-saving measure. “Corporate Manslaughter” – much?
  • Your accounts aren’t audited and your tax returns are wrong, leading to sanctions for directors and the HMRC turning up wearing latex gloves and telling you to “assume the position”.

None of those ideas make any sense when the organisation has a legal requirement to comply.

Guess what?

DPA (2018) is in force now. Organisations must comply if they are handling personal data. Data breaches (with certain limited, generally-defined exceptions from the ICO) must be reported – it’s mandatory within the aforementioned parameters.

Article 4(12) of the General Data Protection Regulation defines a data breach as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Organisations need to achieve a defensible position. Having the necessary processes, policies and training in place is a bit of a hill to climb, admittedly, for some organisations who may have dismissed the Data Protection Act (1998) as a bit of a joke, or were simply unaware.

DPA (2018) isn’t a joke.

Trying to hide behind some idiot’s statistics about the likelihood of being audited or breached is no better than putting your fingers in your ears and shouting “Blah, blah, blah!” at the top of your voice, hoping that the challenge will go away. You may have a data breach. You may have a customer with an axe to grind and data protection is the grinding wheel they can use most freely and effectively.

Having no preparation in place is like having no insurance.

Both could potentially lead to your business disappearing.

You may not get data protection right, one hundred percent.

Someone way cleverer than me said that GDPR preparation for audit is like a maths exam question. Show that you’ve tried a pragmatic approach to the problem. You may get the wrong result, but the ICO will look more favourably on your particular circumstances than if you were to say “Well, this bloke on the internet said that we were statistically unlikely to be breached or hassled by data subjects, so we didn’t bother to do anything…”

The chances of being audited out-of-the-blue are minuscule-to-non-existent, yes. The chances of your business upsetting a customer, who runs into the arms of a “no win/no fee” solicitor? Quite a lot higher. These are the “freak accidents” which good preparation helps to mitigate.

These people who are saluting organisations which are disassembling their GDPR preparations or advising that no one will be fined so you shouldn’t bother preparing for the regulation? Do you seriously think that they will pitch in and help if anything happens and their advice is proven to be the mindless bulls*** that it undoubtedly is?

Of course they won’t.

They’ve proven by their moronic proclamations that they have no place advising anyone on anything in the corporate world.

If you have a problem, they will have disappeared (much like your professional standing) if you’re in the unfortunate position of proving that their statistics and short-termist view of data protection is entirely wrong.

Some people aren’t your friends, regardless of how comfortable they make you feel when they tell you that it’s okay to ignore your legal responsibilities and ignore common sense precautions, in the light of a new piece of legislation which can come with severe sanctions and obligations…

I’m most probably not your friend, either.

Well, possibly not yet.

But… Sometimes it’s easier to tell your secrets to a stranger. The difference between me and these bozos I’ve described is that I stand by my advice, it is based on years of professional experience.

I don’t need to “showboat” to the masses to get attention.

People can easily find me if anything goes wrong.

I see the value in compliance and protection – that’s why I have professional indemnity insurance. I wonder how many of these other “friends” have got rid of that to save money?

I’d wager – none. They will all have their backsides covered. And yet – they’re advising you not to?

Some people aren’t your friends.

The people giving you idiotic guidance aren’t even your enemies.

Most often, they’re just attention-seeking hypocrites.

If you REALLY need this explaining…

We are in the midst of the “savvy consumer”. This has been proven with the photos of Xbox and PS4 shelves, bereft of all games after Black Friday.

Except for one.

EA Games has really messed up with the “Star Wars: Battlefront II” game.

By all accounts (I haven’t bought it), the game is riddled with micro-transactions, pay-to-play and enforced periods of waiting to move forward in the game (unless you unlock the stopwatch by purchasing additional ‘stuff’).

Apparently, the game will take either $2100 to complete via micro-transactions, or over 4,000 hours of waiting for (seemingly) arbitrary periods of time as a ransom to unlock playing.

People – lots of people – have protested long and loud about this. Paying $60 for a game should provide you with the game, not provide the game manufacturer with the opportunity to entice younger players to innocently abuse their parents’ credit cards.

Possibly worse still, the child may be humiliated in the schoolyard because they are waiting to move onto the next phase of the game, whilst their wealthier friends are moving on because parents have paid the additional fees (anything for a quiet life). Or the child has found how to use their parents’ credit cards and haven’t yet come to the end of the credit card transaction period. The bill will come home and show that EA Games has been using the child as a siphon for their parents’ money, surreptitiously.

Disney, which owns the Star Wars brand, is apparently a little ‘miffed’ that their brand is being sullied, especially in the run-up to the new movie in December.

Various state regulators are looking to strengthen rules around gambling, as “Star Wars: Battlefront II” features random, paid-for, “loot boxes” which give the player tools and collectibles for the game, for a fee. This, to many minds, is gambling.

Let’s remember – “Child + Gambling = No-no!” in most nations. It hasn’t stopped EA from trying…

Perhaps, most heinously, the purchaser of “Star Wars: Battlefront II” unwraps the game, inserts the DVD and finds that the game comes without someone quite significant to the storyline.

That’s right… Darth Vader isn’t in the game as it ships..!

What does this have to do with GDPR, I hear you yawn?

It’s to do with reputation.

Very few people reading this will work for games manufacturers. That’s not the point of this article.

Most people work for an organisation which relies on a good reputation – how else do we retain good business?

EA’s reputation, at the moment, is in the gutter. Share price has fallen, games aren’t selling and those in the know metaphorically spit on the ground whenever the brand is mentioned. The Belgium government is looking into accusations of operating a gambling franchise, rather than a gaming franchise. Whether EA have broken the law or whether the “loot boxes” aren’t illegal is beside the point. It’s bad publicity for EA games.

Imagine, if you will, a data breach. Something like TalkTalk. Now, the TalkTalk breach didn’t massively effect company profits, but this is in a regulatory environment which isn’t as powerful as GDPR and isn’t overseen by other vested interests. The current Data Protection Act (1998) came as the result of an EU directive. In layman’s terms, it means that the EU pretty much said,

“We really need every state to have laws. Here’s some guidelines – sort the rest out yerself…”

The GDPR comes as a regulation which – with very few exceptions, “derogations” – is standard across the EU.

If TalkTalk happened after May 2018 then the ICO would get involved, but Chapter 7 of the regulation talks about ‘consistency’ of application across the EU, so if a German telephony provider had the same breach and was fined €8m there would be a precedent for the ICO to consider in their fining regime. It’s not a rubber-stamp along the lines of “Germany fined €8m, so here’s an €8m fine for you, TalkTalk”, but it is a compelling guide for future fines.

This is wandering into “Negatives”, mister…


Yes it is, however, it’s an ill wind that blows somebody some good.

Imagine you have gone through all of the data mapping, the Data Protection Impact Assessments and written appropriate policies and procedures. Your IT team have put in place state-of-the-art protection for everything from a mobile phone to a server farm. To anyone looking in (if security allows them to!), your business is an exemplar of data privacy and digital protection.

In the past, this has all been “Well, it’s what is expected” and no one mentioned it outside of the IT team and the CIO.

Boasting about IT was almost like saying, “Look! Look here! Our office has walls!”

Will Marks and Spencer put out a Christmas advert about their multi-factor authentication?

Will John Lewis have a snowy, Winter scene of Father Christmas having to run a retina scan to get down a chimney?

Of course not.


If a company has a major data breach, their competitors can use this as justification that they ‘care’ about their customers. Frame any positive you can think of within the parameters of the GDPR and it can and – I’m betting – will be used as evidence that Brand A is more concerned with your well-being than the recently-breached Brand B.

We care for you and your data. That’s why we take it seriously, unlike ‘others’ we could mention…

It won’t be as crass as that. It will be subtle, but it will creep up the advertising. Being a respectable custodian of customer’s data will help retain customers but also attain customers, too.

You might say, “Well, it hasn’t worked so far!” and you would, of course, be right.

The eyes of the Media glaze over when it comes to IT security and data privacy unless there is some salacious element to it, or an embarrassing fine. This sort of breach will come more into focus after May 2018 and I can foresee Jane Hill on the BBC intoning, “Under the new data privacy regulation from Europe, the General Date Protection Regulation…” and then explaining in detail the hows, whys and ‘how muches’ of the data breach.

A tough fine will catch attention.

People will slowly, almost by osmosis, start to appreciate their rights and the responsibilities of the organisations into whose care they entrust their data (and that’s before the ambulance chasing lawyers get involved in suing for data breaches in class actions).

At that point, GDPR will be a positive marketing tool.

A company which appreciates that long-term investment in data privacy will give them the seal of approval of a growing, more educated market will set themselves apart.

Even if that company is breached and the ICO finds that the breach was so specific, so unforeseen and that the organisation had done everything humanly/technically possible to prevent it, the exposure to the public of this “Black Swan” event will only build further trust.

If someone trusts you, they are usually happy to be in your company. They feel safe. The future is predictable around you. You have shown that you have their best interests at heart.

It may be a considerable investment in the near/mid term, but investment in data privacy will pay off in spades under a new regulation and with a new, slowly-becoming-more informed market.

Don’t forget – in four or five years’ time we will be seeing first-time home buyers who will have known no other environment under which their data resides. To be reckless with their data will be to kill off the market of the next, and succeeding, generation.

Investing in the processes, policies and technical elements of data privacy is future-proofing.

It will keep customers happy.

It will drive sales.

As time passes, it will be a considerable determinant of whether a company succeeds.

Do it now. Start beating your organisation’s chest with the news that you are trustworthy, have the customers’ best interests at heart and want to maintain their happiness.

Because? All together now

Happy Customers = Sales

You never know – it may come in handy?

As a long-standing IT practitioner, the main thing I’ve learned over my time is – don’t trust computers.

I’m not the only person with this earth-shattering insight, to be fair. Veritas, Cheyenne, Seagate and many other companies have made a very valuable SKU from their backup software.

The IT professionals out there have made a virtue from backing up anything and everything to tape, disk or Cloud (or diskette, if you go back far enough). I can’t fault them/us for that. Computers screw up. The ferrous oxide on which we all relied for storage occasionally throws a wobbly and loses information; people sometimes find a file called “Do NOT Delete on Pain of DEATH.TXT” and… delete it.

Business has adopted the back-up as a means to protect the business. I have no argument with that, whatsoever. I’m not trying to pick a fight with storage vendors.

The problem is, with GDPR, that the “back up everything” mentality is no longer fit for purpose when it comes to private data.

Article 5 of the General Data Protection Regulation is specific about “Principles relating to processing of personal data” (being specific within the context of the regulation seems to be a rare commodity).

Article 5 (1)(e) states that personal data shall be:

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)

Article 89 (1) states:

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

If you care to read the Regulation further, Article 89 then refers to the local derogations which can be made under Articles 15, 16, 18, 19, 20 and 21 (inclusively).

So… Unless you have a particular interest in the wording and application of the Regulation in the broadest sense, or your name is Rumpole and you work at the Old Bailey… So what?

The regulation is saying that organisations can’t keep data beyond its intended use. Under Article 5 (1)(e), if you have told a data subject that you will keep their data for one month – and you have the legal grounds to do so – you keep it for one month, end of.

End of..? Not quite. Article 89 states that if there is a public interest, statistical, scientific or research purpose behind keeping the information then you can keep the data, but it has to be on the principle of data minimisation and you need to seriously think about pseudonymising the data. A pseudonym would render my name (Mark Evans) as Citizen X, for example. All of my attributes could be used for research, as long as a concatenation of those attributes doesn’t single me out and destroy the pseudonymisation.

For example:

Pseudonymisation: Citizen X

  • Male
  • 45-54 years of age
  • Based in the West Midlands
  • Works in Data Protection and Cyber Security
  • 6ft tall
  • Bald, shaved head
  • Speaks with a Black Country accent
  • Speaks at conference
  • MBA qualified
  • Writes articles on GDPR on LinkedIn

As you can see, it doesn’t take long before pseudonymisation breaks down and I become more easily identified.

So? Come on – benefits of GDPR?!

Think of the money invested in storage by most organisations. Think of the “Whoah – just in case!” data stored across any business and there is a cost. In these days of Cloud backup where the cost per Gb is miniscule, guess what? There’s still a cost.

Article 4 (12) defines a ‘personal data breach’ as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Okay, so a ‘breach of security‘ leading to loss, deletion, disclosure, or alteration is the key here. I’m sincerely hoping that you’re all already on the next page, here.

What type of data can’t be accidentally or unlawfully destroyed? Can’t be lost, altered, disclosed, transmitted, stored or otherwise processed?

Data which no longer exists. Data which has served its purpose and been disposed of. Data which has been lawfully destroyed.

As far as private data is concerned, the GDPR is mandating that companies achieve a lean, process-driven approach to the use and removal of the data.

Long-term storage in Amazon, Azure or whatever will be fractions of a penny per Gb for some organisations.

There is an old saying, “That which is given freely is rarely valued.”

Business has long held private data as freely given – who doesn’t want a special offer on saving four pence on pasta sauce from a supermarket? – and has, by erosion of respect for the data above what money it generates, allowed a situation to happen where large organisations are sitting on a mountain of data which is now an attack vector for GDPR…

  • Get rid of the data which informs you of nothing
  • Save on storage
  • Make data searches faster (less data, faster searching)
  • Make data searches on current information! Who needs to know that Citizen X bought a brand new Morris Ital in 1982 (I didn’t, but that’s data that might trip someone up, somewhere)
  • Make backup and restore operations more focussed
  • Be able to prove to the ICO, to senior managers and shareholders that not only are you protecting the business legally, you are looking to put a cap on the spiralling cost of storage, backup, operational overhead from backing up and restoring data
  • Become a leaner operation
  • Know where the data is, what it is for and when it is no longer relevant
  • Remove “noise” from business decisions
  • Become an expert in your own data

There may be an argument for keeping historic data for trend analyses. Fine… Get m’learned friends in to formulate the requirement within the parameters of the regulation. Get your technical people in to formulate the appropriate security. Get HR in to own the processes for dealing with any “off piste” activity from employees around the data and its usage. Get data scientists to put the data into a context where “Citizen X” doesn’t map directly to “Mark Evans”. I foresee an opportunity for universities to gather information (with appropriate permissions from data subjects where required and contractual bases for using the university as a data processor, obviously) in order to process data on behalf of organisations… Another potential cost saving.

So… What’s the benefit GDPR brings?

A mandate for lower storage cost, operation, processing, risk. More time-bound, current information. Less opportunity for data to succumb to anything in Article 4 (12).

The days of “You never know – it may come in handy?” for personal data are coming to an end.

I think people who sell storage may not be so happy, but if people are buying less storage volume, this might prompt the move to faster SSD uptake in the storage market, a potential money-spinner?

I, for one, will be professionally overjoyed to see organisations deleting data they no longer need. It will show a maturity of custodianship which is long overdue.

A little creative thinking?

I, for one, am sick to death with the negativity around GDPR. I am challenging myself to write a regular piece about the benefits of GDPR (of which there are many).

I reiterate; I, for one, am sick to death with the negativity around GDPR.

Further, I am aggravated by newly-minted data privacy ‘consultants’ prefixing every comment with “Ah… But – €20m…” with a sly, knowing wink as shorthand for “I am about to invoice you to hell for consultancy of dubious quality…”

One of the areas which has raised my ire in recent weeks is the plaintive cry that ‘that nasty EU is depriving people in Marketing’ of the use of private data, namely email addresses.

I appreciate that email dates back to the mid-90’s as a usable tool for addressing prospects and customers, but it has been used lazily, it has been used by spammers and it has been used as a shield against actually having to understand customers.

“You can’t take my contacts list!”

… a comment I’ve heard on a number of occasions.

Why? Why not? I’ve yet to come across anyone (myself included) who curates their personal contacts list to see whether it is still accurate and valid, to see whether people whose business cards seemingly appeared from the ether in my wallet still want to contact me, or for me to contact them.

GDPR is like the responsible adult telling unruly children that pulling Jennifer’s ponytail isn’t nice and that Brian is just as capable of kicking a football as anyone else, even though his trainers are not “dope” (that’s me getting “Home with the downies” in terms of current hip slang… I’m sure I left my coat around here somewhere…)

For those who cling to their 2,000/20,000/10,000,000 email addresses in the contacts list, the barrier to entry for advertising ‘stuff’ has simply been adding those addresses to a CC: list in order to flog something (hopefully, BCC, so that we aren’t sharing everyone’s email address).

Bringing in a regulation that demands that people, y’know, actually take care of someone else’s personal data is way overdue.

Anyone crying that their world is coming to an end, take it from someone who (gasp!) was working before the Internet came into operation – people sold stuff very successfully prior to the advent of email. No one wandered into a shop and inexplicably walked out with the keys to a Morris Marina and a ticket on Concorde to New York. People saw – and responded in their multitudes – to undirected advertising. And they bought things.

The first person to buy an IBM PC didn’t buy it in response to an email.

What seems to be missing here is an appreciation that advertising works. Good advertising works wonders. Older readers will remember “Go to work on an egg” or “Naughty, but nice” – taglines which even now conjure up images of the Egg Marketing Board and fresh cream cakes.

“Naughty, but nice” was a phrase created by Salman Rushdie for Ogilvy and Mather, so it’s obviously not just a case of throwing words together and praying…

How many people can remember an email from ten years ago – ten weeks even – which caught the attention so vividly and burned a message in to a huge audience?

Don Draper? We need you!

Will GDPR see the re-elevation of the advertising agency? I think that there may be an opportunity for people who have relied on the easy route of blasting out email to engage with a market which has proved, time and again, to be suckers for a good advertising campaign. It doesn’t have to be an expensive, Saatchi mini-epic featuring A-list celebrities in order to get attention, as evidenced by:


You buy one, you get one free! I said – you buy one, you get one free!

Regardless of your views on double-glazing, the advertising campaign for SafeStyle Windows stuck in the memory through TV, radio and newspaper adverts. Their emails? Straight to junk mail.

It is often (incorrectly) quoted that the Chinese have the same word for “Crisis” and “Opportunity”. I believe that there is a huge swell of people who are in crisis mode and not looking at the opportunities which can come from changing tack.

The hit rate for email marketing is neither here nor there with GDPR as it offers pitfalls around consent and legitimate interest, which anyone with any reason will seek to avoid.

Place an advert. Let people come to you. They are self-selecting leads and – they have made a soft opt-in to your advertising campaign!

What about if no one responds? Well, would they have responded to an email? Is your advertising any good? Is your product any good?

The era of mass emailing people who may have glanced at a web page will soon be gone.

My advice – for what it’s worth – is to go for undirected advertising, make the adverts interesting, attractive and engaging and let potential leads show themselves.

These adverts will be more valuable than the reputation-rubbishing effect of sending spam to someone every twenty minutes. I know companies from whom I wouldn’t buy a lifebelt in a flood because of the way they throw crap messaging at me through any means to get to my mailbox.

Mass advertising, to reach a wider audience… who might buy something.

It does what it says on the tin.

It Shouldn’t Be A Fight

Going by the content generated on LinkedIn, GDPR is prompting adverts for services and software, often ill-informed arguments over the minutiae of subsections of the regulation and an unseemly rush to promote oneself as the go-to guy/gal for GDPR regulation.

Discussions on various forum have descended into vitriolic exchanges as people jostle for position to be seen to be an authority on the subject. It seems as though people are seeing the regulation as a zero-sum game for the individuals and organisations seeking to develop the market for consultancy services or tin-shifting.

Perhaps this was all predictable. We have the EU on one side, raising the bar for penalties for organisations playing fast-and-loose with data subjects’ digital identities, a large cohort of organisations trying to remain profitable in the falling ash of the credit crunch with, seemingly, little time to absorb, understand and act on the new regulation, and a market which had been hankering for the next Millennium Bug as a ‘hanger’ on which to sell services or tools.

Regulation is a fact of life. No one consciously thinks on a perpetual basis about the regulations which shape our modern world as we absorb their strictures almost by osmosis.

This privacy regulation arrived on May 2018 and there has been all manner of fall-out from it, some informative, some counter-intuitive and some… just plainly bizarre.

Instead of wasting energy in jockeying for position in the market, we would be better served by sharing information.

It is a huge market.


There is a phenomenal shortfall in suitably-equipped advisers to steer business through. Instead of bickering with people who are potentially equally as ill-informed, why not share information, guidance and thoughts in order to raise the bar for everyone?

This unseemly battle for top-billing is a side-show for the desperate, and should be dismissed as such.