Seersucker

Although it appears to have fallen silent, the Institute of Data Protection had an impressive sales pitch. It was “one of the most forward thinking and advanced learning programmes available for data protection professionals. We represent and support our members, promoting the highest professional standards around data protection and privacy issues”. UPDATE: since this blog was published, the IDP website has been taken down, but you can still see it on the Wayback Machine: https://archive.org/web/.

According to its website “The IDP is now recognised as THE authoritative voice of the industry, with its members providing a reputable and ethical service”. There is no reference to who or how they were so recognised, but reality never held the IDP back. It aimed to “enhance the overall image of our industry and in a striking couple of sentences, appeared to be aiming for a semi-official status: “Data protection and privacy is an area where consumers have the strongest need for a supervised body to ensure regulation is adhered to and that data is ultimately protected. That is where the IDP step in. They purported to have been created as “an independent mechanism to enforce this Code of Practice”.

It’s amusing to contrast this bombast with what the IDP actually did. The Institute hasn’t blogged or tweeted for a while now but even when it was active, I never saw an event associated with it, and crucially, despite its “powerful global presence within the profession”, I never met anyone who was a member, or who knew anything about it. It seemed to exist solely as an idea.

The only mention of the IDP I ever saw anywhere outside its own website and social media accounts was an intriguing reference on the website of Seers, a company which claims to offer “world’s leading privacy & consent management platform”. Seers is currently involved in the ICO’s regulatory sandbox, working on consent management for children.

Seers’ website still (at the time of writing) makes the claim that may be the sole reference to the IDP’s actions in the wild: “Seers GDPR Training course is accredited by industry bodies such as the Institute of Data Protection (IDP)”. UPDATE: since this blog was published, the reference to the IDP ‘accreditation’ has been removed from the Seers website but you can still see it on the Internet Wayback Machine. I can’t see any reference on the IDP’s website to any kind of accreditation process; indeed much of the content appears to suggest that the IDP was offering its own “learning programme”. Nevertheless, Seers appears to be the only organisation that ever interacted with it. As a side issue, I would like to see a citation for their claim that “It is Now a legal requirement to show your Staff have been Trained in Data Protection & GDPR“.

Despite the hyperbole, the IDP plainly did not have any power or authority to accredit training courses. The IDP never existed. The only reference to its real world status is in its terms and conditions: “idp Group Limited is registered in England and Wales under company number 09789319 and have our registered office at 60 City Road, London, EC1V 2NX”. But there is no IDP Group registered on Companies House. There is no group, there is no single company. 09789319 is the company number of IAccountants, whose website currently doesn’t work but is still filing accounts.

This is a problem for two reasons. The first is that unless you are approved by Companies House to do so, it is unlawful to claim to be an Institute. The ‘IDP Group’ has never legally existed, so it was definitely not approved to operate as an Institute. The other problem is more significant. IAccountants has one director: Adnan Zaheer. Mr Zaheer is the director of a number of different companies, but you may be surprised to learn that one of the others is Seers.

Some of Seers’ other practices are also a little shady – I used a cookie checker on their website to run a scan on 2040training.co.uk. I didn’t opt into marketing. The report didn’t arrive for several days, but in the meantime, I received a marketing email from a Seers staff member who is remarkably hard to find in the real world telling me that I did not have a “a compliant cookie consent on your website, complete with script manager, consent logs and prior consent per GDPR law”. It went on to say “Therefore, per GDPR law you should install the compliant cookie consent for a mere £6.99/m”. I’ve never thought of telling my customers that they had to attend my training courses as per GDPR law, which might be why I am not as world leading as Seers. I asked the Seers employee why they were making this claim when their own report subsequently says that I don’t have any cookies, but I haven’t had a response. When I mentioned this to Zaheer on LinkedIn, he blocked me.

This is serious stuff. Participation in the ICO Sandbox is not necessarily an endorsement, but inclusion in a regulator’s pet project is plainly going to carry weight with a lot of people. I made an FOI request to the ICO to find out what due diligence they carried out before selecting Seers, and from what they sent me, it seems that the company filled out an application form, there was a 15-minute phone call with Zaheer, and then, because Seers’ application was strongly associated with Commissioner Liz Denham’s pet project the Age Appropriate Design Code, they were a shoo-in. I was provided with no evidence of any checks into what kind of company Seers is, or what else they have been involved in.

The Institute of Data Protection is / was fake. Any endorsement or accreditation it purportedly gave would have been bogus, but the claim on Seers’ website is especially dodgy due to Zaheer’s links to both. This imaginary ‘accreditation’ is a dishonest claim for which Seers’ directors should be, at the very least ashamed. No competent regulator would have anything to do with them.

I’d say that I am staggered that the ICO is daft enough to let a company like this get involved in their sandbox project, but I’m not, given the ICO’s lamentable track record of unwise endorsements. The Denham era’s hallmarks are favouritism, credulity and incompetence. It would be nice to see Wilmslow pushing back against bullshitters every now and again, but instead, the ICO is determined to give them a platform.