I could have written this blog about Axon, a company who have been regularly emailing me in breach of PECR since I downloaded their GDPR document, or a dozen others. The Data Protection People cold-called me, and were surprised when I mentioned the Corporate Telephone Preference Service to them. All of these folk purport to be capable of helping others in their Data Protection efforts but either they don’t know how to comply themselves, or it isn’t sufficiently important to them to bother. On Friday, I spent a very enjoyable day training a group of school headteachers and business managers. They took in a lot of information about the GDPR and Data Protection implications for their schools with good humour and a constructive attitude, but the Data Protection Officer requirement was a stumbling block. Very few schools need a full-time DPO. A small, well-run primary school will need a relatively small amount of DPO time to keep them on an even keel, but unless the Data Protection Bill / Act delivers them a miracle, they will be legally obliged to have a named DPO. It’s daft but it’s true.
I find it hard to picture how a school will find someone half-decent to support them in the sea of endlessly swirling bullshit that has engulfed the Data Protection world over the past couple of years. I have never been as busy as I am currently, and I have never had so much fun doing my job. But when I look up from the work I am actually doing to see what state the DP sector is in, I am ashamed to be associated with Data Protection. Everywhere you look, there is scaremongering hype, ridiculous claims about fines, about a SAR tsunami, claims about businesses closing and the ICO stalking the land like Godzilla. As many GDPR folk never tire of complaining, I do spend some of my time calling it out. I correct false claims. I draw attention to crap articles. I argue with LinkedIn bullshitters, who block me because they’re cowards.
But just as when I wandered into the charity sector with an (overly) critical eye, the same legitimate criticism has been levelled at me again. Why don’t you do something constructive? What some of these people mean (and what some of them have said to me privately) is “there’s plenty of money to be made here, why don’t you just let us take our piece?”. The problem with this is that I don’t care how much money anyone makes. I could charge more than I do. I could go for more lucrative work. I could do more work. My criticisms of the bullshitters is not motivated by money. If all I cared about was cash, I wouldn’t just have given up a substantial guaranteed income to work solely for myself in 2018. But some of the people who ask that question are sincerely motivated, and they mean the same thing that my charity critics meant – why don’t you *do* something.
In March, I published a guide for fundraisers on Data Protection. I will be updating that guide in the next month to cover GDPR and the DP Bill. In the meantime, I have written another guide, this time for those organisations seeking an external, contract-based Data Protection Officer. It is designed to help the small, non-expert organisation to choose the right DPO consultant. You can find it at this link, in the downloads section of my website.
I have several other guides planned for 2018 – if you have suggestions for things I might write given what I have done so far, you’re always welcome to let me know. I probably can’t do them all, but the folk who ask me the ‘constructive’ question in good faith make a good point, and I’d like to do my small part to clear the fog, and make a positive contribution. And for all those people who think I’m a dick for doing and saying things like this, don’t read the guide. You really won’t like it.