The Big Easy

by | Jul 24, 2023 | Uncategorised

There are various ways to describe “King of Data Protection” Jamal Ahmed, but subtle is not one of them. His new book ‘The Easy Peasy Guide to the GDPR’ arrives with huge fanfare, promoted on a website with the address “bestgdprbook.com” (take that, Dibble) and accompanied by a remarkable depiction of the man himself as the dominant figure in world privacy. He is not just the “reigning global expert on GDPR” (take that, everyone), but “a pivotal force in reshaping data privacy”.

Ahmed doesn’t undersell the book either: it “empowers you to unravel GDPR complexities, boost your self-assurance, and become the authority”. Reading the book promises “a thrilling journey of transformation”. It is, he claims, a “masterpiece” that provides “unyielding clarity to excel your career”.

In the light of this, reading it is a bit of an anti-climax. There’s literally less than meets the eye as the text is printed inside almost 5cm margins. I’m not saying this is done to bulk it out, but that’s the effect.

Ahmed’s approach is simple: he copies the text of the GDPR Articles, breaks it down into chunks and then adds his summary below each chunk. Despite an EU legal requirement to acknowledge the source when copying its legislation, Ahmed claims copyright on the whole thing and credits no-one else. It is not the best GDPR book by any standard, but the ‘Easy Peasy Guide’ is possibly the first one to breach EU law. If you’re wondering how he deals with the recitals, it’s simple. He doesn’t. There is literally no reference to their existence. Whatever they add to the Articles, he ignores.

In the preamble, Ahmed promises to deal with the “real world” implications of the GDPR; the guide will help you shape “an effective data privacy strategy”. His self-described track record is one of advising corporate giants around the world but none of that experience makes it to the page. One way to bring the text to life might be to use practical examples of how he has applied the more challenging provisions with his clients. There’s no hint of that, no pointers on frameworks or approaches to take, or tactics to adopt. Whatever insights his globetrotting career has given him, he doesn’t share them here.

Everything therefore hangs on whether Ahmed can provide a clearer version of what GDPR requires than the actual text itself.  There are problems with this, the most obvious of which is how often he gets it wrong or omits a vital detail.

  • Frequently, he replaces ‘shall’ (meaning a thing you have to do) with ‘should’ (meaning a thing that you ought to do but don’t have to)
  • His definition of personal data leaves out indirect identification
  • ‘pseudonymisation’ is explained in a garbled way that implies that the data shouldn’t be unmasked to the subject (rather than anyone)
  • Ahmed describes personal data breaches as “when an unauthorised person or organisation” destroys, loses or otherwise compromises information – the correct definition is much wider, including accidental loss or destruction by the controller
  • The definition of biometric processing is wrong: it states that the process is to identify people’s physical characteristics, rather than to identify people *by* their physical characteristics, which is what the GDPR says
  • The summary of the purpose limitation principle talks of “approved” purposes, whereas the original says “legitimate” which is a different concept. Ahmed also replaces ‘specified’ (meaning set out explicitly) with ‘specific’ (meaning defined in a precise way) – they’re not the same
  • The summary for the accuracy principle misses out the qualifier ‘where necessary’ from ‘up to date’, leaving the reader with the false impression that personal data must always be updated
  • Article 11 says that data subjects should be informed that they cannot be identified “where possible”; the summary says “they must tell the data subject”.
  • There is no mention of the two-month limit on extending subject rights requests in the summary
  • “Unfounded” is replaced with “repetitive”, which is actually one of the characteristics of “excessive”, erasing the former concept altogether. There is no attempt to explain what ‘manifestly’ means in this context (the summary leaves it out)
  • The summary of Article 14 leaves out the requirement to provide information about categories of data and the exemptions. It also ignores the crucial element that data obtained from other sources can include publicly accessible sources
  • “without hindrance” in Article 20 becomes “must help”
  • Ahmed describes Article 21 as giving an absolute opt-out from all profiling activities, instead of just those related to direct marketing (he needed ‘including’ instead of ‘or’)
  • The A29 section on processors states that they can only process data as instructed by the controller, ignoring the fact that they can do so if required by law
  • The section on Data Protection Impact Assessments changes the requirement to carry out a DPIA in certain circumstances to something a controller “could” do

There are other less impactful errors, but another problem is that Ahmed’s stated goal of reducing the GDPR to ‘easy peasy’ language is inconsistent. Sometimes he leaves references to specific Articles out of his summaries, sometimes he leaves them in and doesn’t explain what the particular article is about. He strips out Article numbers or sub-section letters, but then the summary refers to them (in one case, a list appears as bullets, but the text below refers to the letters that he has removed).

Because his summaries are unnumbered, it’s sometimes difficult to relate specific elements back to the articles, so it’s not always clear what part of the GDPR he’s referring to.

The above issues are on the page – Ahmed’s approach leaves significant gaps and gets things wrong. But I think it’s also fair to say that he’s not a particularly clear writer. He writes sentences like “ If a controller cannot identify a data subject, they must tell the data subject”, while a precise concept like ‘machine readable’ becomes “easy for machines to read”.

Ahmed and his followers constantly complain about ‘legalese’ – I think the GDPR has less clunky language than say, the Data Protection Act, but nevertheless if technical language should be removed, it should be removed. Except it’s not. Phrases like ‘without prejudice’, ‘no less onerous’ and ‘processing operations’ make it to the summaries. If his pitch is that the language is simplified, how do we end up with clunkers like “if the domestic or Union law applicable on the controller authorises them to do so”?

To be clear, I reject Ahmed’s premise that privacy pros should resist “trawling through legislative jargon”. They should embrace it. I am not a lawyer, but the first act in my career in information rights was reading the #FOI and Data Protection Acts. When as the GDPR was published years later, I knuckled down again. That’s the job. I’ve spent my career encouraging people to get stuck into the legal texts precisely because to do so is to empower them. It’s why I am here. I’ve seen huge numbers of people from all walks of life – none of them lawyers – engage directly with legislation confidently and make it part of their success.

But even if you agree that a competent professional needs to be spoon-fed a bowdlerised version of the most important text in their working life (OK, given the absence of the recitals, some of it), Ahmed’s inconsistent approach fails on that score. Multiple concepts like ‘sub-processors’ and the European Data Protection Board go unexplained, and there are scant examples to flesh out his words. The classic 2023 Dad joke is ‘Did ChatGPT write this?’ but if Ahmed produced this without recognising what he’s missed, it tells an uncomfortable story about how well he really understands his subject.

Of course, you might counter all of this by pointing out that the actual text is right there and you can see what the GDPR says immediately above. It is not – so the book says – intended as a replacement. So why not just read it yourself? You need the text anyway. So read it. I have great faith in your capacity to do so.

The most dispiriting thing about the ‘Easy Peasy Guide’ is that Ahmed thinks that his readers need it. Instead of encouraging and supporting them to get stuck into the laws that they need to work with and understand, he infantilises them. Positioning himself high above everyone else as the “reigning global expert”, adopting the #King mindset, he starts with a childish title and then offers his followers a set of thin, underdeveloped summaries that rob the GDPR of the nuance that professionals must contend with every day.

On the first page, Ahmed claims that his book is a “one stop resource”. So how does it equip readers to traverse national legislation like the UK’s DPA and PECR? What clarity does he provide on the guidance, regulatory decisions, or the vital judgements of the European Court of Justice that every data protection professional needs to be familiar with? There’s literally nothing. No guide, no sign-post: you’re on your own.

I hear that Ahmed has already accused me of being a racist and if that’s how he wants to deal with critiques of his approach, that’s up to him. I doubt this review will make things better. For the record, I’d like to see evidence beyond me absolutely not recommending that you buy his book and being sceptical that anyone ever called him ‘King’ spontaneously. However, as he blocked me many months ago, I don’t think a debate is very likely. In closing, let me say this: Jamal Ahmed is not the King of Data Protection. He is just a strutting Emperor with no clothes.