Is GDPR fatigue a thing?

If I may, I want to get a little personal with you all if that is OK? Although, this is written and published now so if it isn’t OK then your only recourse is to leave now at this point (is this a valid consent I wonder?).

If you are fine with it, and have read up to this point I thank you. You may have noticed that I haven’t written about anything for a while. I wouldn’t blame you if you hadn’t noticed; my imposter syndrome is currently telling me that silence is a good thing. Truth be told, I’ve been struggling to think about areas to write about. I start a piece on a particular matter or area and don’t seem to finish it.

When I tried to explore why I could only reach one conclusion, have I become GDPR ‘fatigued’?

Don’t get me wrong, my enthusiasm for all things information remains, but as I spend long hours during the day wrestling with the finer points of the GDPR when it then comes to writing about it the mind just seems to draw a blank. I’ve been looking at the GDPR since it was first published back in 2012 so that’s about 5 years now of GDPR in one form or another.

5 years isn’t that long, and we have a lot more to come with a lot more content and practical implementation, so can I really be that fatigued with it?

There are a lot of good resources out there and as we creep ever closer to the enforcement date more and more GDPR is on everyone’s lips. You’ve already seen articles from the likes of Tim, Rowenna, Jon and even the ICO on some of the more ‘inaccurate’ resources and myths that are out there. So good, bad or ugly, there is a lot out there.

In all my self-indulgent musings I think I’ve finally come to the conclusion that I’m not GDPR fatigued, but there is a real danger of that. Yes GDPR is important and yes it is a change, but the range of nonsense that is out there that constantly comes my (or indeed everyone’s) way means that eventually we will just get a little sick of it.

One thing I would recommend, at the risk of possibly self-promotion of events, is getting out there with other professionals. Yes it takes time and some degree of travel and will cost you a beer or 2 but I can safely say that ‘socials’ with other like-minded individuals are worth their weight in gold. Not least because you can sense check yourself, confirm that you are not an imposter, and remind yourself of the reasons why we do what we do, and we are all information governance geeks.

So that just leaves me to say watch this space. More stuff will be coming soon, hopefully useful stuff from someone trying to implement this with no budget and a list of complexities as long as your arm.


Post-truth Privacy

In 2016 we have seen the ‘birth’ of several new things. GDPR, The Snoopers Charter, an EU without the UK, United States of America with the most controversial leader for a generation and something called ‘post-truth’.

The Oxford English Dictionary defines post-truth as an adjective defined as ‘relating to or denoting circumstances in which objective facts are less influential in shaping public opinion than appeals to emotion and personal belief’. It appears this won the OED’s word of the year for 2016 because of the effect it had over the EU referendum in the UK and indeed the presidential election in the US. But are we seeing something similar occurring in the field of privacy regulation?

On the 6th December, the Information Commissioners Office, under its new leader Elizabeth Denham, announced that it was fining 2 charities (British Heart Foundation & RSPCA)  for widespread disregard for people’s privacy.  Their list of offences included;

  • Wealth screening without consent including data sharing (with wealth companies) without consent.
  • Data sharing with tele-matching companies (an undetermined number of records shared) without consent
  • Data sharing amongst themselves without consent

This came about as a result of a programme of work the ICO has been undertaking into the Charity Sector. The results of which include the above but also a special area and resources on the ICO website outlining the illegal practices that charities may have been undertaking and what citizens can do to protect themselves.

This isn’t the first entity in the Charity sector to show a distinct lack of DPA / Privacy compliance, according to the ICO website since December 2015 the following actions have been taken;

  • Dec 2015 – UCAS fails to provide a suitable level of assurance has appropriately addressed the actions agreed in its undertaking signed April 2015 regarding their collection and management of notices and consents, data sharing and marketing.
  • Jan 2016 – Alzheimer’s Society demonstrated serious failings in the way volunteers were handling sensitive personal data in various areas from security to access and email communication.
  • Feb 2016 – British Red Cross signed an undertaking to commit to best practice on the management of their marketing consents after failings were found.
  • Mar 2016 – Anxiety UK had a follow-up visit after various areas of low assurance were found.
  • Mar 2016 – Age International signed an undertaking to comply with privacy and marketing regulations after it was found that they were not complying with marketing & privacy regulations.

As someone pointed out to me lately, this is by no means damning evidence that all charities are bucking the rules (deliberately or otherwise) but the whole issue does seem to be sparking emotion against ‘experts’ (amongst others).

Daniel Fluskey, head of policy and research at the Institute of Fundraising, tweets that the ICO’s comments on the RSPCA and the British Heart Foundation are ‘(mis)leading’. He (and others) have gone on to say that the ICO should be supporting the Charities in their efforts to do good, and not be holding them against such rules that stop them ‘doing good’. Most of the articles that I have seen from those defending the RSPCA & BHF (reference to those shared by Jon, Tim & Rowenna amongst many others) all have a little bit of a ‘child got caught in the cookie jar’ tinge to them.

Stand up and be counted! Either 1 of 2 things occurred. You either new about the rules and chose to walk a different path (reasons unknown but can be assumed fairly confidently at this point) or you didn’t have the resources to know/implement better and you did the best you could. Given the child-like blaming of ‘mummy’ in that she didn’t explicitly tell you not to raid the cookie one would be fair in assuming it was the former and not the latter.

Everyone from data subjects, privacy campaigners to the ICO all has sympathies for those that try but due to limited resources struggle to achieve full compliance. But that does involve actually going out there to at least see what you should be aware of. Not just blaming your parents for not telling you up front.

The Law is there for a reason. As we have seen with the Brexit debate, because emotion says one thing, therefore the law should immediately say it as well (and so should those that impose the law). Like the Judges in the Supreme Court the ICO cannot be emotional about such matters and pick and choose where the law is applied and where it is not. The current (and indeed future) laws on Data Protection & Privacy do not grant Charities the moral high ground to buck out of observing the law. To my knowledge, there are indeed very few laws that give exemptions to the charity sector.

As someone that has worked for different charities, both as a compliance person and as a general volunteer just doing what we can, there are indeed some that try and get this right with the little resources they have. But there are the others that live in the era of post-truth and believe that human decency is on their side. Without putting the emotion to one side and having a real discussion about how to get this right for everyone, is the Charity sector doomed to live a post-truth head-in-sand world?

Next blog post shall be back to the lovely world of GDPR!

Privacy Notices under GDPR – Have you noticed my notice?

As you all know by now the General Data Protection Regulation (GDPR) is here and it is (as predicted) starting to get various people fired up ready for its 2018 implementation date. (Dear reader, it is still relevant despite the Brexit vote.) We’ve been exploring various aspects of the GDPR and in this particular blog I want us to look at the concept of privacy notices and what they will need to start looking like under the Regulation.
You can read this blog at 

GDPR Breach Notification: Hear no evil, see no evil and speak no evil

If you hadn’t have noticed we are now in an era of a final approved text of the long awaited General Data Protection Regulation. What exciting times we live in. My previous blog posts so far on the Regulation have talked about the principles as well as a general overview. Tonight Pinky, we are going to explore the GDPRs concept of breach notifications and what this may mean from a practical perspective (and then we will of course try to take over the world).

But first, if you’ve not downloaded the GDPR text app for your phone I highly recommend it. As a bit of a geek about such things I find it amazing that I can carry round a copy in my pocket and read at my leisure.

The most obvious starting point is the new legal requirements to notify both the supervisory authority as well as the data subject should personal data be ‘breached’. Article 4 (12) of the GDPR outlines a Personal Data breach to be “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Chapter 4, Article 33 (1) states that once a controller has become aware of such a breach (definition of aware not clear) the controller shall “without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”. As the definition of ‘aware’ is disPicture1tinctly lacking I can see scope for a rise in ‘hear no evil, see no evil, speak no evil’. As it is many DPOs and compliance officers struggle to be made aware of such incidents so if the definition is going to be similar to that or making SAR or FOI requests whereby ‘notice’ can be given to anyone in the direct employ of that organisation this isn’t going to help us DPOs.

So when the business has finally informed you of this incident (or you’ve been lucky to capture it first hand) what does the GDPR ask you to provide the authority in your notification? Chapter 4, Article 33 (3) (a-d) states;

a) The nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
b) Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
c) Describe the likely consequences of the personal data breach.
d) Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measure to mitigate its possible adverse effects.

Starting with point (a), this could be a little more complicated than first impressions. This also relates back to the Article 30 requirement on records of processing activities. Article 30 requires Controllers to have an accurate and up to date list of what Personal Data they have, why they have it, where they have it and to whom they share it with (I’m paraphrasing there but you get the gist). When building that list if you can include references to the types of records you have should an incident occur and X record types are concerned you know immediately what personal data they contain and indeed if the personal data records are likely to identify more than one data subject per record.

To help manage this requirement if you are a DPO and don’t know who your records manager is, now is the time to find them and talk to them about the types of records you own. If you don’t have a Records Manager, then Records Management is about to become a big thing for you so I would see if there is merit in getting one (or looking at it yourself).

Point (b) is fairly self-explanatory and there is scope both here and in the Codes of Conduct provisions in Section 5 Article 40 (2) (i) that allow for a supervisory authority to encourage codes of conduct for how breaches are reported to both the supervisory authority and data subjects.

Point (c) is interesting as it specifically says the ‘likely consequences’ of the disclosure. Logically, if you don’t have an accept risk management practice in your organisation, then in order to manage this requirement (and not report absolutely every possible outcome) you’ll need an agreed way to manage information risks, determine their impact likelihoods and their consequences. I suspect that as we progress with the GDPR implementation we will see some common guidance from authorities / the Data Protection Board on what are generally accepted as likely consequences and what are not.

In order to fully meet and understand point (d) you’ll need (again logically) to demonstrate some sort of route cause analysis so you can say X caused Y and it will be mitigated with Z process changes, A actions with the data subject and B actions with the staff member (s) concerned.

Now this requirement does state that this information can be provided at a later stage but a general notification must be provided and it doesn’t state what an acceptable timeframe might be. One assumes that as the DP Board is allowed to clarify and fine tune this requirement, as well as Article 40 allowing for Codes of Conduct which can cover breach notification (as well as a few other areas).

In summary then, in order to start getting into the practice of effective incident management not only will you need a robust reporting and monitoring framework for incidents but this must also form part of a risk management framework for your organisation. If you have a well-established method for determining risk (and indeed likelihood of outcomes) the breach requirements here aren’t therefore that much of a massive headache. Yes they will be complex as incidents often are but at least you have a decent framework in place to help steer your incident management in the direction you need.

Lessons inside and outside the classroom:

Something a little different from me in this blog post. I have always suffered with imposter syndrome and still do to this day. I’m either convinced that I’m wrong or convinced that there are far better people than me out there that know about information type stuff so who am I to pass comment on such things? Having said that I do acknowledge that I have been and continue to “go places”. Essentially what I am saying is that I am a conflicted little soul that is always looking to learn.

I have been lucky enough for the last few years to be invited to take part in a University College London class as part of their qualification in Archives & Records Management.  To spend time with those just starting out in their information careers and be able to have discussions with them on issues of the day really is a treasured opportunity, and something quite humbling.

I was there representing the Information & Records Management Society (IRMS) as part of a panel of 4 professional membership societies working in the IRM world. There was the IRMS, the Archives & Records Association (ARA), the Business Archives Council and Archives for London (who unfortunately couldn’t attend last minute).

The purpose of the panel discussion was to present what each body does, how they benefit their members and the purpose / function they serve to the IRM profession and ‘sector’. We would then debate relevant matters with the students there so they get an idea of the benefits that professional bodies can bring not only to professionals but also the profession and practice we all work within.

Hosted & chaired by the renowned Elizabeth Shepard, each of us gave a short presentation on our respective organisations and then we sat down to field questions that the students may have. And as students do the questions were direct, on point and once we got past that initial shyness were coming in thick and fast.

The main points were around diversity. Is this a good or bad thing? And pretty much across the panel agreement was that it was a good thing. All 3 organisations, while in the “information world” all had different missions, different support bases and different offerings. Each of which isn’t necessarily a right or wrong path but instead is a view of the information world from the corner in which we operate.

On key issues that affect all of us it makes sense to join forces and “cry out in one voice” that a particular matter is important. However for general day to day IRM related matters, to understand the issue and make the progress on it, sometimes you can’t beat that specific focus and attention rather than a larger ‘catch all’ type approach. Movements like the Information Management Alliance are brilliant ideas for our cause, but ultimately they are the sum of their parts, each part being as important as the rest.

The points raised by these students were all valid and indeed quite refreshing. Students & new professionals are, in my not so humble opinion, one of the best sources of challenge and fresh ideas. Even by just reading the Alison North IRMS New Professionals  Award entries over the last few years you see a wide range of thoughts, ideas and challenging concepts (mine excluded, I was just having a humorous moan about the then proposed draft Data Protection Regulation).

This commitment to learning and being open to new ideas is even more important in this time of change. As the Data Protection Regulation approaches (see it made its way back into a blog post) Data Protection Officers (and even other IRM professionals) will need to adapt to Data Protection being a more serious, high profile and indeed more complex area to work in. In order to ensure the Data Protection Regulation don’t just get seen as a tick box exercise (which is an opinion held by some) we will need to look at new ways of embedding and promoting compliance including learning to speak new languages (no not the language of love, but instead that mystical language of the Board).

But more on that in another blog post. For now, let us star 2016 with a reminder that life is a lesson and that you never stop learning. For to stop learning, is to stop growing.