The list of things that annoy me about the explosion of hype and bullshit around GDPR is long and boring (NOTE TO SELF: this list should be a blog post of its own). I cannot say that top of the list are those badges that folk give their products, boasting about being “GDPR Ready”, or “GDPR Compliant” when nobody actually knows what being ready or compliant looks like, but they’re top five.
I was complaining about this on Twitter, and lovely people who enjoy seeing me annoyed started to send me examples of these badges from across the internet. It is via this route that I came to Emailmovers, a data broker who make luxurious claims about their data and its relationship to the GDPR.
Not only do Emailmovers have a badge, they claim to have been working closely with both the Direct Marketing Association and the Information Commissioner’s Office on GDPR issues. Indeed, until someone kicked up a fuss about it, Emailmovers had the Information Commissioner’s logo on their website. The logo has gone now, but if you work out where it was and click, there is an invisible link to the ICO’s website where it used to be.
Emailmovers certainly put up a strong case about the nature of the data they’re selling:
1) We are clear with individuals why we need their data at the point of collection
2) We always use clear and concise language appropriate for our target audience
3) We give individuals control over their data. They are always able to decide whether to share their personal data with us or not
4) Under the GDPR principle accountability, Emailmovers is able to demonstrate that we are compliant. We always record the legal grounds for processing an individual’s personal data
I can’t say that any of this is untrue, although I am sceptical. Generally, I think that the data broking industry is irredeemable, incapable of operating lawfully either now or in the future. The data broker acquires data, accumulates and appends it, and then sells it to clients. This is the opposite of fair. However, and wherever the data was obtained from, whatever transparency or fair processing was given to the subject, it would be vague. It could not say which specific organisations would receive the data, and often, it could not even say which sectors. The data broker does not know – they sell to whoever is buying. This kills consent – which was supposed to be informed and specific since 1995 – and it kills legitimate interest. How can you assess the effect on the subject if you don’t know when obtaining the data what you’re going to do with it? If a data broker obtained individual email data under legitimate interest, they couldn’t sell it on for marketing purposes, because the client will not have consent to send the marketing in question by email.
None of this will stop the data broking industry from carrying on – when some of the biggest brokers are ICO stakeholders whose activities have gone unchecked for decades, it’s hard to imagine that the GDPR will make much of a difference.
Nevertheless, there was one thing about all this that I was able to check. I made an FOI request to the ICO asking about contact that Emailmovers had had with the Commissioner’s Office, particularly with the policy and liaison teams. If Emailmovers really had been working closely with the ICO, there would be evidence of this, right? The ICO’s response was revealing:
“There was no direct contact between Emailmovers and our Strategic Liaison/ policy department concerning advice about GDPR.”
Emailmovers had made a couple of enquiries – ICO was too cautious to tell me what they asked, but they supplied the replies which offer no more than a simple (but accurate) explanation that business to business communications are covered by the GDPR, a brief observation that the ePrivacy Regulation is coming but we cannot be sure what it will say, and separately, a straightforward note that even corporate subscribers need fair processing. This is not working closely with the ICO – they asked a couple of questions and got short polite answers. There are no meetings, no detailed correspondence, nothing at all to suggest anything approaching the relationship they boast about here:
I can honestly say that I am in regular contact with the ICO about a variety of matters. It sounds good, but it’s true only because I nearly gave evidence in one of their prosecutions (they didn’t need me in the end), I make a lot of FOI requests to them, and I tweet at them almost daily.
I don’t accept that making a couple of enquiries equates to working closely with someone. The fact that Emailmovers make this claim on their website, and displayed the ICO logo prominently until recently makes me very uneasy about the other things they say. The GDPR sector is full of bullshit and exaggeration, fake certifications, hokey badges and bluster. As we near the supposed cliff edge of May 25th, we should all take the time to check every claim with great scepticism, and to treat the badge-toting hordes with the same caution that Humphrey Bogart treated a certain bogus Federale: