Wednesday, 8 March 2017

Will the latest marketing and consent guidance result in a financial shortfall for charities?

Concern has been mounting that the attitude the Information Commissioner’s Office is currently taking towards charities will result in it becoming even harder to raise funds from supporters and potential supporters. New guidance about how charities should obtain consent to contact supporters, and how this consent should be used, has recently been published by both the ICO and the Fundraising Regulator.

But are the regulators really raising the bar? Or are they just reminding charities what the rules actually are?

In the eyes of some, the Information Commissioner, together with the Fundraising Regulator, are enforcing privacy standards that make life much more difficult than should be the case for reputable charities to carry out fundraising initiatives. Pre-ticked boxes are out. Consent for direct marketing must clearly relate to each of the different methods that charities plan to use. Silence does not indicate consent.

In the eyes of the regulators, however, it is important that charities should be observing the rules that have been place for many years, as well as preparing for new requirements, to be introduced in May 2018 by the General Data Protection Regulation. Specifically, much more light needs to fall on the opaque practices of marketing, data matching and tele-appending.

As far as the ICO is concerned, data matching and tele-appending are different practices to those of purely direct marketing. So, supporters must be informed about these practices. Such views were met with considerable alarm by some charities, who were concerned about what their supporters might think (and how they might act) if they were really knew how their personal data was being used.

When speaking at a Fundraising & Regulatory Compliance Conference in February 2017, Information Commissioner Elizabeth Denham reminded delegates that:

“The Data Protection Act is a principles based law. It doesn’t address the legality of particular activities. You won’t find a clause that says wealth screening is against the law, for example. But you will find principles that say data must be processed fairly and lawfully.

Some of the activities that we investigated charities for will never be accepted as being fair. It’s hard to imagine, for example, a circumstance where searching out phone numbers or addresses that have not been shared could be fair.

Wealth screening, as least how we have seen it being done, is not fair either.

Let me be clear. It’s not that the activity is against the law but failing to properly and clearly tell your donors that you’re going to do it, is.”

So, whether charities like it or not, the transparency bus has rolled into town. For good.

A number of charities have recently started to revise their contact preference strategies, and to be more transparent about how they use their supporters’ details.

Before doing so, however, the lack of empirical evidence as to the likely effect of changes in existing contact strategies, or in being more transparent, caused some fundraising executives great concern.  Fortunately, evidence is emerging to support the contention that a transparency-based agenda is not such a disastrous strategy - for highly-regarded organisations, at least.

In 2015, for example, the RNLI decided to change the way it raised money for its lifesaving service. Initially, it was concerned about the potential adverse financial impact when changing its practices and moving to opt-in communications for its supporters. 

By late 2015, the RNLI’s supporter database held about 2m contacts. But, many of these contacts had not been active for some time, and it only had regular communications with and responses from around 885,000 people. So, would a change to an opt-in model ensure that the charity would continue to be able rely on sufficient numbers of engaged supporters?  It had braced itself for a potential reduction in income, after all mitigating factors were taken into account, of £35.6m over 5 years.

That’s a lot of money, potentially, to lose.

However, the RNLI had a pleasant surprise. The original assumptions proved to be wrong. The opt-in rate did not drop to 25% of the original database, the actual rate was closer to 40%.   The charity exceeded its original intention of opting in 250,000 supporters by the end of 2016. By February 2017, over 375,000 have said that they still want to keep in touch.

And, it wasn’t just their existing supporters that responded –the charity also attracted new support, with over £175,000 in unsolicited donations via the opt-in marketing campaign.

As far as Elizabeth Denham is concerned, what charities now have to do is to find a way to excel within the boundaries of the rules. They can cling to the belief that regulators have got the law wrong, or that it doesn’t apply to the charitable sector, or that the regulatory burden is too great. Or, they can commit to positive change.

Change that, in her view, is not only achievable, but will reap its own rewards.


Sunday, 29 January 2017

What (currently ignored) privacy area might result in early enforcement action when the GDPR is in force?

We have 480 days to go before the General Data Protection Regulation is “in force”.

And then what?

That's the question I’m being increasingly asked these days.

Does it really mean that in 481 days, European privacy regulators will be heralding the first megafine for non-compliance with one of the GDPR’s more obscure requirements?

I think not.

But it will undoubtedly lead to greater unease amongst the audit committees of many firms, particularly those in the (regulated) financial services sector, who will note, from the data protection compliance reports that have been commissioned, the difficulties that are being encountered in ensuring that sufficient evidence is available to demonstrate how the organisation complies with the GDPR.

Many of the organisations I’m currently working with are still trying to understand just what it is that they are supposed to be complying with. And also, what standard of evidence is necessary to be generated, just in case privacy regulators exercise their Article 30(4) right to request it.

Each professional consulting firm I’ve come across carries out data protection audits / health checks in different ways. And, in assessing data controllers through different privacy prisms, I’m confident that some organisations might well “pass” a privacy review that was carried out by one consulting firm, yet “fail” the review that was carried out by another firm. Why? Because the other firm had decided to focus on some obscure GDPR issues that the original firm didn’t think were particularly relevant.   

Does this matter?

Well, it would if it led to the organisation performing poorly in a review that was carried out by a national privacy regulator.

So, what should be done to reduce the likelihood of such an event?

In the UK, the ICO has provided organisations with a great deal of guidance as to precisely what controls they would expect to see in place and operating effectively. I don’t see this degree of guidance readily available in other EU countries. I have not had an opportunity to review all the webpages of each national data protection supervisory authority, but my cursory checks have certainly not unearthed the level of detail that has been published by the ICO. Perhaps this will be a task for the Data Protection Board.

But, in the short term, what new areas of non-compliance might European privacy regulators focus on?

If I were a privacy regulator, I would focus on records management and, in particular, the greatly ignored area of records retention. So many organisations find it hard to develop, let alone implement, comprehensive records retention policies. Are they in for an unwelcome surprise? The GDPR is (apparently) going to require data controllers to be more transparent about their records retention policies.

The potential fine for not informing individuals, as their personal data is being collected, about retention periods is of course significant. But do (even) regulators take the issue of data retention that seriously?  Outside the communications sector, how much interest, or formal enforcement action, has ever been taken against data controllers with regard to breaches of the Fifth Data Protection Principle?

I’m not aware of many cases. Over retention may have been an aggravating factor when the ICO considered the level of a fine for some incidents involving security breaches, but there are very few recorded cases of enforcement action being taken just because a data controller retained data for longer than the regulator considered necessary.

Perhaps this will change.

But, since most data controllers have paid no more than lip service to the difficult issue of the period for which the personal data will be stored, I doubt that many currently feel that the ICO’s attitude will change significantly in 480 days time.


Sunday, 8 January 2017

When does the General Data Protection Regulation not require firms to appoint a Data Protection Officer?

I’m increasingly asked whether particular firms actually need to appoint a Data Protection Officer in order to comply with the requirements of the GDPR. Given that the potential fine for non-compliance (with Article 37) is €10 million Euros or up to 2% of the total worldwide annual turnover, companies quite understandably don't want to get such a basic issue wrong. Many firms that are basically B2B firms, who mainly process personal data for HR purposes, don't want to goldplate their privacy compliance programmes (to the extent they have any) by taking unnecessary action.

The Article 29 Working Party published an opinion on this subject last December. To be frank, it’s only somewhat helpful.

With regard to the private sector, firms that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale, must appoint a DPO.

The meaning of “core activity” has been set out in Recital 97. This relates to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. The A29WP opines that “all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”

So, it would appear that the GDPR does not require firms that simply process personal data for HR purposes to appoint a DPO.

But what about, say, the customer data that's processed by firms – particularly by those in the B2B sector? How much (personal) customer data needs to be processed before the threshold for appointing a DPO is reached?

To answer this question, I’ve looked at the A29WP’s guidance on the meaning of the term “large scale”. Firms that don't process such data on a large scale don’t need to appoint a DPO. Unfortunately, the guidance (and the GDPR) is sketchy on what the term actually means.

Recital 91 explains, in the context of Data Protection Impact Assessments, that “large-scale processing operations” include those “which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk’ to individuals. On the other hand, the recital specifically provides that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”.

So, the test appears to focus on the size of the firm, as well as the amount of personal data that is being processed. Accordingly, some types of SMEs – the smaller ones - will not be required to appoint a DPO. This is important, as SMEs account for more than 99% of all UK businesses.

Unfortunately, there is one very large fundamental problem with the SME sector.  That problem is that even within the UK government, there is no single definition of what a small or a medium enterprise is.

According to The Company Warehouse, for the purpose of Research and Development Tax Relief, HMRC defines an SME as a business with not more than 500 employees and an annual turnover not exceeding £100 million.

However, the rest of the UK government does not use this definition.

For the purposes of collecting statistics, the Department of Business, Innovation & Skills defines SMEs as companies with less than 250 employees.

For accounting purposes, Companies House defines a small business as employing less than 50 people and a turnover under £6.5 million and a medium business as less than 250 employees and a turnover under £25.9 million.

To further complicate things other parts of the UK government use the EU definition of an SME:
  • Micro Business = less than 10 employees & turnover under £2 million
  • Small Business = less than 50 employees & turnover under £10 million
  • Medium Business = Less than 250 employees & turnover under £50 million

So depending on which definition you use, an SME could have anywhere between 50 and 500 employees and have a turnover between £6.5 million and £50 million.

One way to encourage SMEs to comply with the GDPR must involve coming up with an easier definition of when they must appoint a Data Protection Officer.



Saturday, 31 December 2016

My (somewhat unreliable) data protection predictions for 2017

I’ve recently had a quiet year on the blogging front – my professional duties have prevented me from playing a more active role on the Internet during this year than I would have liked, but that is set to change in 2017. 

My professional work this year included acting as a specialist adviser to the Joint Parliamentary Committee on the Draft Investigatory Powers Act, one of the most significant pieces of legislation to be laid before Parliament for many years, to advising large (and some not so large) companies, particularly in the financial services sector, on the steps they should consider taking to show how they comply with their current and their future data protection obligations.

Next year? Who knows whom I’ll be advising!

But what can I (unreliably) predict for the forthcoming year?

  1. The incoming Deputy Information Commissioner (Policy), who starts work in Wilmslow on 30 January, will amaze the data protection community with his knowledge of data protection law and practice. He will be supported through the year by key ICO staff who have a very considerable amount of knowledge of data protection law and practice.
  2. An increasing number of organisations will realise that, unless they start soon, they won’t have the time (or access to much external professional support) to fully prepare for the coming into force of the GDPR in May 2018. There are, after all, only 513 days to go. The final text of the GDPR was published some 750 days before the implementation date. Many organisations have done virtually nothing during the first third of the preparation period.
  3. A couple of private sector firms will decide to pay an ICO Civil Monetary Penalty, rather than go into liquidation and, like a phoenix, arise from the ashes and continue trading under a different corporate name.
  4. Data protection professionals will continue to feast on nuggets of guidance from the Article 29 Working Group, despite some of the Working Party officials privately advising key opinion formers to ignore parts of what was “agreed”. The Working Group offers opinions. They're not definitive statements of the law that must be ruthlessly adhered to.
  5. European courts and European privacy regulators will continue to present challenges to European law enforcement authorities, making it even more cumbersome for stored communications data to be used to fight various types of crime. Even the ICO may be denied access to communications data to address the problems caused by spam, because sending unsolicited communications may not be a sufficiently serious “crime” to justify the use of stored communications data for such a purpose.
  6. The ICO’s new satellite office in Central London will prove so successful that an increasing number of staff will want to work from that office. It is, after all, quite a long way from Wilmslow.
  7. The Information Commissioner will continue to increase the profile of herself and her office, using a wide variety of channels to get the message across. Her highlight of the year will be an appearance on Desert Island Discs.
  8. Stratospheric salaries offered to experienced data protection practitioners in the (heavily regulated parts of the) private sector will continue to encourage ICO staff to seriously consider their commitment to working long-time for the regulator. 
  9. Public sector data controllers will, facing yet another series of efficiency savings, find it harder to evidence how they are meeting data protection requirements. Some “good” public authorities will become “grotty” at evidencing data protection.  More public authorities will ask the ICO not to publish the executive summaries of recent ICO audits. Unlike data protection professionals, local councilors are occasionally eligible for civil Honours, and they wouldn't want to jeopardise their chances of an Honour by being associated with a data protection snafu.
  10. The British Computer Society will demonstrate its commitment to data protection education by withdrawing the harder of its two professional data protection certifications, on the grounds that not enough candidates can be bothered to take such a rigorous exam to make it financially viable. 
Thats is it for this year’s predictions. My crystal ball clouds over when Brexit is mentioned.  No one has the faintest idea of what the data protection implications will really be. My heart tells me that the UK will experience a hard Brexit, and that however the GDPR is implemented by the UK, the EU will refuse to accept that ‘Blighty has data protection standards that are equivalent to those that prevail elsewhere in the EU. Despite this, I remain confident that the UK will end up with data protection standards that are both realistic and appropriate for people who live in the UK.

My glass is always half full. Its never half empty.

Happy New Year.


Wednesday, 16 November 2016

Apollo – they can’t still be up to their old tricks?

Two years ago I blogged about an unsettling experience I had with Apollo, a firm that had confused me as to what they were really all about. 

Since then, I’ve had a number of emails from people who have had similar experiences. Today, I’m reprinting (most of) the most recent one – which comments about an organisation called Apollo-Transitions. Surely, this is not the same company as the Apollo company I had encountered?  But, spookily, Apollo Transitions Ltd has a remarkably similar logo to the old Apollo– and the same colour scheme. And, Geoff Russell, the person I met in 2014, is a member of the senior team.

Anyway, here’s the letter:

I have recently moved back to the UK [redacted].

As you did, I received the standard email wanting to organise a meeting with the senior partner etc. Whilst it all seems very odd, having a bit of time on my hands I thought I would go to a few meetings to see what I thought. By nature I'm a suspicious guy and to me this doesn't add up.

Like your experience in London I was very underwhelmed with the offices. A Regus office with no signage for Apollo in Cambourne, Cambridgeshire. 

Meeting the with senior partner was a great boost to my confidence as after a few questions and computer exercises (over the two meetings) I feel like I could head up NASA and solve world peace on the side. Whilst I understand that they are pumping up my ego, which is a great thing for job seekers, it's the little things that nag me.

  • Why no signage?
  • Why doesn't the ISO accreditation check out?
  • Recent company name changes
  • Long list of registered and de registered companies associated.
  • £1000 up front and £2000 paid over two months with no guarantees?
  • Very vague reviews
  • Concrete testimonials
  • Not seeing any other customers coming or going over two meetings.
  • Generic career management options.
  • A lack of contacts of partners and staff on LinkedIn?
  • So many directors/ partners etc
  • Why did the laptop provided have no up arrow key button?
  • The white board having the same writing on it for a week.
  • Taking an important phone call during the meeting to explain how busy things are
  • Keeping me waiting for 5 minutes past the scheduled meeting time with no one leaving
  • A stack of topical books for improvement, job progression.

During the process I was under the impression I would be put in contact with some senior executives and would basically be buying a contact list and referral. When I asked this directly that seems not to be the case?

I find this whole thing very odd. In perspective £3000 for your dream job is probably a good buy but it's a hell of a lot of money for someone to jazz up your cv and say don't fidget during an interview.

If I had a lazy £3000 I would follow this through out of interest but i think the old additive "if it's too good to be true" probably is the one to use in this situation.

As a disclaimer I would love to be completely wrong about his company. I hope they are placing thousands of people in great jobs who are advancing their careers and improving both their and their families lives.

I share these closing sentiments, too.