Header image

In the land of the blind - the one fact GDPR 'expert' is king

So many myths and legends - so little time. As the GDPR deadline looms, many find themselves poorly armed for the task ahead. It's all too easy to be seduced by the smooth words of a confident individual.

Like all good narratives, the stories surrounding GDPR contain many surprising plot twists. And, as we gallop towards 25th May, some of these are only getting more bizarre as compliance one-up-manship also begins to take hold.

My favourite of these occurred last week when I caught up with a previous colleague who was at the tail end of a business meeting with another contact. As they parted company, patently with points to action and further discussion required, the contact said "I'll look up your email address online and contact you that way." (I'm paraphrasing - but you get the general drift.) "Of course - now that I am no longer allowed to write your email address down on a piece of paper."

Honestly - my jaw did drop to the floor and I did one of those comedy double takes. "Yes - continued my colleague - these new data protection laws are a real bind aren't they." This was the point at which I sat them both back down again to give them a bit of a talking to.

There are two things here - who in their right mind would think that anyone could write a piece of watertight legislation that means you can't write someone's email address down so that you can remember it, and how on earth would you be expected to police this. Are you supposed to prove that you have destroyed it afterwards? Maybe if you wrote it on the back of your hand you would need to video yourself washing it off - and then video yourself deleting the video because the first one would contain the personal information? Secondly, why had the individuals who had been given this advice not questioned it as the undeniable piece of tosh it was - are we that easy to brainwash?

Perhaps some of the answers lie in the legislation itself - it's big, it's complex and it requires thoughtful application to an individual entity's business operations. But I think it is more likely that the speed at which we run our modern lives has robbed us of the ability to take a carefully considered approach to change. No one can train for a marathon in a week and expect to clock up a decent time (nor even a sprint for that matter).

These individuals would do well to spend more time listening to Elizabeth Denham and the ICO's excellent advice. It is measured, consistent and eminently sensible. Last week at the DMA Data Protection conference, Elizabeth once again set out that good data protection practice is about engaging communications that deliver rational information at point where we might be making an emotional decision. I suspect that she picked that word rational on purpose.

With only 20% of the UK public expressing trust and confidence in the companies and organisations that store their data, and 78% believing that businesses benefit more from the value exchange of data, surely our focus should be more on understanding what we need to do rather than creating petty little rules that tie individuals into administrative knots.

Data protection has four fundamental cornerstones:

  • Respect for privacy
  • Being honest and fair
  • Operating diligently
  • Taking responsibility

Given that data fuels our personal and business life, and our economy as a whole, is it too much to ask that it is taken as seriously as something like financial governance. Educating your staff is part of this - but make sure that the lessons are valuable and complete - not just an elastoplast moment of ridiculousness.