When people ask Data Protection questions, I’ve come to realise that they’re hoping for a nice simple yes/no answer. That’s why they so often phrase their question, ‘But is it okay if we just…’

And yet they so rarely get a nice simple yes or no answer. Instead, if they talk to me, we begin with a few questions:

• What is the thing you are doing?
• Why are you doing it?
• What’s the outcome of not doing the thing?

And they need to explain to me, a person who doesn’t have ten years’ experience in their particular field of expertise, what they are doing and why they are doing it. This is often annoying for them. Sometimes for me too. We need to break down ‘the what and the why’ until I have a nice, simple dummy’s guide to what’s going on. I’m the dummy in this conversation. I keep asking ‘why’ until I could explain the purpose of the data processing to, well, anyone.

What are you doing and why are you doing it? This is a key part of the GDPR. Your company needs to be able to explain to people – nice, normal people who don’t have ten years’ experience in the exact expertise under discussion – what is being done with their data. And why.

Why we’re planning to do this thing can be super-helpful – but we’re not always great at having a nice clear reason for why we do things. (“Why? What do you mean why? We’re doing it because our director wants us to and we’ve already started the project and this is all budgeted for this financial year and this is just the way the system comes out of the box  and we don’t have funding for changes!!”) This is why I try the sanity check of ‘what happens if we don’t do the thing.’  (It doesn’t always help. If the answer is ‘I’ll get into trouble with my manager’ then we aren’t quite having the right conversation yet.

If we can understand the why of the activity, it gives us our best clue about how to define ‘our legal reason for doing the thing.’ (Aka, in GDPR-speak ‘our lawful reasons for processing’, including everyone’s favourite plain English term ‘legitimate interests.’)

There is still so much confusion about this. Everyone went batshit-GDPR-crazy about consent in 2018 (yep, that’s the technical privacy term) and everyone in Data Protection world (which had suddenly expanded to include several million panicked people) had conversations like this:

Business lead: BUT WHAT IF THE PEOPLE DON’T CONSENT TO THE THING

DP lead: Do we actually need consent for this thing? What’s the outcome of not doing the thing?

Business lead: THE GOVERNMENT WILL CLOSE US DOWN OR FINE US BECAUSE WE HAVE TO DO THE THING

DP lead: Okay then. In that case, you aren’t really looking for people’s consent. You just need to make sure they’re aware that we have to do this legally mandated thing. That means we’ll put it in our privacy notice.

Business lead: BUT CONSENT

DP lead: Bring me the tequila.

*

People of the GDPR lands, before you go to your Data Protection leads with your newest and most awesome idea (“to get them to sign it off”) make sure you can explain to anyone, to everyone, to a semi-interested seven-year-old, to an antagonistic customer, and yes, to your weary Data Protection lead, WHAT YOU ARE DOING AN WHY YOU ARE DOING IT.

And Data Protection people, if you’re struggling with ROPA or with risk assessments, this is one lever that can make things easier. It’s something you can provide good examples of. It’s something you don’t need ‘data protection experts’ for. It’s something you can and should easily train your key business leads to do.

 

A question from a friend that made me weep data protection tears recently.

Their new and enthusiastic manager had noted an absence of team morale, which seemed, from my friend’s account, to be linked to constant changes in roles, supervisors, direction of team, ability of people to work in an agreed way for more than three months before deciding to change everything again. Everyone was a bit weary.

The solution? The latest manager had decided that people should record their feelings at the start and end of work days. On a white board. In their shared office. And then she would note these down so she could track trends and everyone could discuss these at team meetings.

My friend’s question: Is she allowed to do this? Is that okay with Data Protection and stuff?

Response from Data Protection: NO NO NO NO NO BRING TEQUILLA NOW. (Also, a bit more NO.)

My friend was uncomfortable raising with this HR or Data Protection in their company, and worried this would be seen as telling tales, or could be used against them by the new manager.

Handy Data Protection tips: Data Protection leads would rather hear about things like this quickly. It is our job to hear about things like this quickly. Frankly, the manager should have told us about this wonderful new idea quickly. What we dislike is hearing about it months down the line and dealing with regulatory complaints about things like this.

Why is The Public Feelings Collection White Board a bad idea?

Well, for lots of reasons. Let’s work through a few of them.

The Public Feelings Collection White Board is being used to collect HR data. Employees are being asked to record personal information (how they are feeling) to be used (in ways not quite specified) relating to their role and their management.

What is it being used for? People should know what their data is going to be used for. In this case, the purpose was very vague – to track how things were going.

There was an inference that this was being used to track that things were improving under the new manager, which meant people felt uncomfortable about it – should they tell the truth? Should they pretend they felt better than they did, just to make the new manager happier? Because the purpose of the collection was so unclear, and because it made people nervous, people were providing information that was not accurate.

How long would it be held for? No one had thought about that. The white board got wiped every week, but the manager was keeping notes for herself. Would these be deleted after each team meeting? Or kept for years so that the changing emotional state of the team could be tracked for The Vague and Unspecified Purposes?

Will this be used as part of decision making about staff? This was unclear.

Was this mandatory? We’re supposed to be clear with people about whether the information they provide is mandatory or not, and if it is mandatory, what are the consequences of not providing it. When a manager says, ‘Write your feelings up here in plain view of the office’ a lot of people feel that a manager’s instruction makes the activity mandatory.

Was the information secure? Well, no. It was a public white board where everyone could see each other’s Feelings Record for the day. Apparently it could also be seen through the window, just where the office smokers tended to gather.

Had there any sort of impact assessment, say, relating to privacy? Well, if there had, then everyone involved should be fired. Into space. In a rocket.

It was, in official Data Protection Terminology “A Very Bad Idea Done Very Badly.”

How might this have been done better?

In some ways it might be easier to ask how it could be done worse.

If you manage staff and you have an idea like this, here are a few pointers:

• Have a chat with your HR team
• Consider people’s privacy – assume that at least some people have a strong sense of privacy and do not like sharing what they consider personal things at work
• Keep people’s HR/personnel data private – discussions about people’s health and well-being should be for supervision sessions, and you shouldn’t share them with people’s colleagues. (Though they may choose to!)
• If you’re thinking of collecting information from your staff in a new and exciting way, like on a white board, have a chat with your Data Protection team, or find out if there is a risk assessment they would like you to complete.
• Before you approach your HR or Data Protection teams, set out every clearly why you want to do this, what problem is being addressed, and why this problem couldn’t be addressed in a less privacy intrusive way (such as discussion at supervisions)
• Bring them tequila along with your query.

 

Do you work in an organisation with a Data Protection lead? Probably. Most organisations heard about the GDPR, at some point in 2017, and panic-recruited accordingly.

WE MUST RECRUIT SOMEONE FOR DATA PROTECTION, BRING US DATA PROTECTION PEOPLE AND THEN THEY WILL MAKE DATA PROTECTION HAPPEN.

Your lead might be a formally designated ‘GDPR DPO’ or they might head a small data protection function and be kept hidden somewhere in a basement.

There is one very, very important thing you need to know about your data protection lead, regardless of their job title. They are not Q.

They are not omnipotent. They are not all-seeing. They are (most likely) not experts on:

• all laws relevant to your business and the application of those laws
• Management of an IT department
• Management of a Human Resources department
• Project Management
• Risk management
• Management of a Procurement department
• Training and communications
• Managing complaints from members of the public
• All of your key business functions
• Leading strategically at board level

If you have a Data Protection lead who is an expert on all of these areas: congratulations? I think? You should appreciate them. They sound like they might be qualified to be your CEO.

On any given day, your Data Protection lead is going to get questions relating to any and all of these things. Could one person actually answer questions about and make the right changes in any and all of those things? Probably not. They are not actually Q. They may be an expert in some of these, but not likely all. They may be an experienced generalist with a good overview of how things should (but may not actually) work in all these areas.

But they don’t, likely can’t, and probably shouldn’t directly manage all of these areas. If they do – they are your Chief Exec.

So how does your organisation support your Data Protection function to address questions, issues, and risks associated with these areas?

Do you have a governance structure that actively includes these areas and which makes sure risks are being documented and addressed?

Does your Data Protection lead have the mandate to raise risks at the highest level? Are these risks considered and acted on? Do you make clear decisions about when you are going to tolerate a risk and when you are going to mitigate it?

If a decision is made to mitigate a risk, who is responsible for making a particular team carry out that change? Is this ‘a data protection thing’ or is it decided and communicated at a senior level to all  the relevant managers?

Do your managers and leads in each business area have a solid grasp of the GDPR and of company policies? Are they championing privacy and supporting their own staff to get things right? Could they do with additional training?

We all know “GDPR D-Day” has passed. But we also know that most organisations are not confidently settled into the brave new world of Data Protection being taken seriously, in a consistent, ongoing way.

Don’t lose all the good project work of the last two years. Or year. Or nine months.

Work with your Data Protection lead on a maintenance and assurance plan that doesn’t involve them being mistaken for Q.

 

PS:  They aren’t Q from James Bond either.

PPS: Don’t actually recruit Q from Star Trek. Troublesome employee. Would probably cause a data breach.