Press "Enter" to skip to content

Miss Info Geek Posts

Brief Encounters: an open letter to lawyers

Published 2019-06-29

“When all you have is a legal education, everything looks like a contract”

Me

Dear lawyers

The rule of law and principles of justice are the foundation of civilised society. Thank you for doing your part to prevent us from sinking into Hobbesian savagery. Getting a legal education and licence to practice is clearly a long, arduous and expensive process. Well done you, for coming out the other end with a job.

Having said that; PLEASE SHUT THE FUCK UP ABOUT THE GDPR UNLESS YOU HAVE REALLY STUDIED PRIVACY.

Seriously. A legal education and a quick scan of the text of the GDPR do not make you a privacy expert. It may equip you to start out on your privacy expertise journey with a bit of an advantage, but it certainly doesn’t confer god-like powers of acumen and omniscience on your data protection pronouncements. And yet, people will treat you as though it does, because ‘lawyer’. You are in a position of responsibility, and your professional obligations include the duty to refrain from giving advice you are not professionally competent to provide, no matter how lucrative the opportunity or how clever and powerful it makes you feel.

Even if you’ve studied privacy law in depth and detail, you should probably avoid the temptation to offer your services as an adviser on operational matters. You may not have the business experience, the tech knowledge, the communication skills or the risk management discipline necessary to do the job adequately. Your legal background is also likely to skew your assessments of risk in favour of ‘legally-defensible’ rather than ‘protecting rights and freedoms’. This does your clients and their data subjects no favours at all.

Obviously there are lawyers who do have real data protection expertise, operational (not just legal) experience, who know how to get stuff done in a business-as-usual context, and who can reliably assess ‘what stuff, when and how’. They are a tiny minority of your profession. They are not who this plea is aimed at.

As I’ve said in a previous post, I’m not advocating ‘remain in your lane’, but rather ‘don’t merge until you are up to speed’ (as the brilliant Sarah Clarke paraphrased so succinctly)

Much of the most egregious #GDPRubbish in circulation is spouted by lawyers who don’t realise how uninformed and unprepared they are (see: Dunning-Kruger Effect). Whether from a well-meaning General Counsel who read in an online article that consent is always required, or a contracts specialist within an organisation who believes that all third-party suppliers are only Processors because, well, it’s in the contracts, or a law firm desperate to cash in on the privacy gold rush; the degree of sheer nonsense being propagated by lawyers who think they know best is a disgrace to the profession as a whole. It’s got to the point where I always double-check data protection advice when I learn that it originated from lawyers – and in the large majority of cases, I find it to be at best, inadequate and misleading; and at worst, downright inaccurate.

Uninformed, inexpert data protection advice from negligent lawyers has cost organisations not only the money for fees but also the funds required to fix things when the errors are discovered. It fritters away their time, their effort and their will to do things properly. It has unnecessarily decimated databases and probably killed whole forests-worth of paperwork. It’s shocking.

My experience does not appear to be unusual – in fact, the hordes of lawyers who gave poor GDPR advice are being encouraged to make amends to their clients, for the damage they caused. We’ll see how that goes.

Your professional education has possibly primed you to view your objectives in terms of ‘winning’, or ‘closing’. Data protection isn’t like that. It doesn’t shut up and go away when you cite clauses at it, its purpose is not to provide you with clients, income, or prestige. It’s the protection of human rights, dignity and freedoms. You can’t do that with documents or clever semantic debate, no matter how hard you try (or how much you charge). Data protection advice is not a courtroom battle, you’re not looking to crush the data subject, but to help your clients understand and apply the law. You need to think differently about data protection than you would about contracts, criminal cases, or civil litigation. If you can’t do that – keep your beaks* out of it.

If you’re a lawyer getting interested in data protection then hurrah – I hope you enjoy this exciting, challenging, complex area of law. Now please keep your head down until you know a lot more than law school taught you. Things like….

A privacy notice is NOT A SODDING CONTRACT!! It should not look like, read like, or give the impression of being a contract. Privacy information is not a fig-leaf behind which the unsightly intimacies of data processing can be hidden, it’s a vehicle for the communication of important information about autonomy, rights, and responsibilities. It’s not an internal policy, nor is it the Ten Commandments. And it is most certainly not part of any Terms and Conditions. Using crafty euphemisms and ambiguous platitudes to dodge around telling data subjects what’s really going on might be clever lawyering, but it isn’t data protection. Privacy notices written by lawyers tend to be those which bear least resemblance to the legal obligation of transparency. Awkward.

You are probably one of the least suitable people to be a Data Protection Officer, especially if you already have a role in the organisation and even more so if that role is General Counsel. Apart from potentially lacking the professional attributes and experience described earlier, you also have a massive conflict of interest. As a lawyer, the organisation is your client. As a DPO, you have two ‘clients’ with often-opposing interests which you most balance – the organisation and the data subjects’ right and freedoms. Such conflicts of interest for a DPO role-holder are prohibited by the GDPR. If you’re an outsourced DPO, then either you need to have had a few years experience in the practical side of integrating data protection within an organisation, or you need to have a bloody good team of people around you who can make up for the deficiency. If you have neither, you are the Emperor’s new clothes and sooner or later, someone is going to see through you.

If you have never heard of e-Privacy law and can’t explain the differences between PECR Regulations 6 and 22, then you are absolutely not qualified to advise on the legality of email marketing tactics or cookie dialogues. Don’t.

If you are an intellectual property lawyer then you need to forget pretty much everything you have learned and start over with an open mind. There is no concept of ownership in data protection law, only individuals’ rights and organisational responsibilities. Arguing otherwise makes you look like a buffoon. Data is not property in the eyes of privacy law. Repeat this every night 100 times until it sinks in and your buffoonery quotient is reduced. Fundamental, statutory rights cannot be waived by contract. Arguing otherwise makes you look like an American (which isn’t inherently a bad thing, but is a fairly strong predictor that your understanding of European law is insufficient to rely on for good data protection advice. #NotAllAmericanLawyers, of course).

Contracts do not determine reality. They are not magic spells. Contracts are, in theory, supposed to reflect and document reality for future reference (nice theory, rarely found in practice). If a supplier is making their own decisions about why and what to do with the personal data they access or receive from their customers, then the supplier is a Data Controller no matter what the paperwork says. They may be processing the data unlawfully by repurposing it, but they are doing so as a Controller. Paying someone does not make them your bitch, and paying another company does not make them your Processor, unless they cannot deviate from your (clear, detailed) instructions without your permission.

The terms ‘personal data’, ‘processing’, and ‘data protection breach’, are defined in Article 4 of the GDPR. Read them. You don’t get to make up your own definitions just because your legal brain is bigger than those of the drafters’.

I’ve probably pissed off a lot of people by now, and if you’re one of them, then perhaps take a minute to examine why you are cross. Is it because the criticisms laid out here don’t apply to you? Great, forget about it. Is it because they do apply to you and you’re now feeling attacked and victimised? Please try to get over it. See this as a learning opportunity, not a telling-off. Prove me wrong, I’ll be delighted. Is it because I used rude words? In that case, do please bugger off and learn to distinguish signal from carrier wave.

If you do want to become an awesome data protection professional as well as a lawyer, then come on in, the water’s fine – but start at the shallow end and keep your water wings on or you’ll make a mess.

*see what I did there? I made a legal joke! Laugh, dammit

Tools

Published 2019-06-05

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

Abraham Maslow

An open letter to the information security profession

Dear infosec people,

You do a tough job in a complex, high-stress and fast-paced environment. I admire the cleverness of your technical capabilities and respect the challenges you face.

Having said that; PLEASE SHUT THE FUCK UP ABOUT THE GDPR UNLESS YOU HAVE REALLY STUDIED DATA PROTECTION.

Seriously. You’re making the lives of privacy professionals really difficult, and that’s not going to lead to collegiate and constructive co-operation. You’re also occasionally making yourselves look like right knobbers to those of us who do know what we’re talking about in this area.

I’m generally not a fan of the ‘stay in your lane’ philosophy – breaking down silos and working together is an essential part of being effective these days. However, if you have not learned the rules of the other lanes, then carelessly blundering into them and screwing with the traffic flow is just as bad – if not worse – than hiding in a silo.

I absolutely welcome infosec people learning more about privacy/data protection – it’s the career path I took myself and have flourished upon. What sends me up the bloody wall though, is the Dunning-Kruger Effect that is evident when infosec people try to tackle data protection without having spent the time and effort to understand privacy law. Because they get it so very wrong and are uncritically parroted by other people who aren’t familiar with either professional knowledge domain, thereby spreading myths, tropes and general #GDPRubbish.

Infosec and privacy are not the same thing at all. There is overlap, but only for a small proportion of both. There is wide divergence and narrow convergence. Information security is about protecting corporate information and systems. Privacy is about protecting individuals and society. Data Protection is privacy applied to information about living people.

pie chart of data protection principles
DP principles

Data protection requires information security, but only as a small feature in a broad landscape of human right-based risks, controls, considerations and obligations. There are seven principles in data protection law, and only one of them is ‘process personal data securely’.

There are a whole bunch of individuals’ rights that have nothing to do with the security of their data. There are a pile of obligations that don’t relate to information security in any way. If you didn’t know that, or you don’t know what those principles, rights and obligations are, then please either go and learn, or belt up and refrain from undermining privacy by hijacking GDPR conversations and narrowing them to infosec-centricity.

It’s understandable that when your whole world is one topic, you’ll see everything else within those terms of reference. It’s natural to have a whole bunch of cognitive biases and assumptions. This isn’t a value judgement on your character, it’s just me pointing out an opportunity to integrate rather than colonise.

To assist you with this, here are some nuggets of data protection wisdom for you to take away and keep.

  • Privacy is not equivalent to confidentiality, it is the right to be free from unwarranted or arbitrary interference. This may involve a degree of confidentiality for information, but not necessarily. Data Protection is usually more concerned with why you’re doing stuff with/to people via their data than how secret the data is.
  • Privacy is not the binary opposite of ‘in public’. In fact, ‘in public’ is a spectrum anyway, but even if it were a single environment, it would still not be the opposite of privacy, because being amongst other people does not negate your human rights.
  • ‘Personal data’ is wider than ‘personally-identifiable information’. It’s heavily influenced by context and association, and the same piece of info may be ‘personal data’ in one scenario but not in another. There is no binary always/never threshold. Deal with it.
  • ISO27001 or any other infosec standard will NOT deliver GDPR compliance. Not even close. Not even 50%. Done properly, 2700x can help you adhere to the security and accountability principles, but does nothing to address fairness, rights, transparency, rights, lawfulness (etc)
  • No system, tool, document set or ‘solution’ can be ‘GDPR-compliant’ in itself. Only when used in accordance with all of the data protection principles, within an organisational culture of respect for privacy, in a privacy risk-managed way, can it play a small part in GDPR ‘compliance’. Which, by the way, requires the org to have integrated strong data protection risk management as business-as-usual into EVERY process, system, activity and decision.
  • The GDPR is principle-based law on purpose. It leaves room for innovation, creativity, risk appetite and context. If you’re looking for a prescriptive checklist of inflexible instructions for which no nuance is required, then stop trying to understand data protection and focus on PCI-DSS instead.
  • The only time ‘encryption’ is the ‘answer’ to data protection, is when the question is ‘what is one way to protect the confidentiality and integrity of data within a particular digital processing environment?’.
  • Security controls themselves must be assessed for privacy risk. User monitoring and profiling, authentication and verification for example, carry inherent privacy risks of their own and the security justification for using them may be negated by the privacy justification for NOT using them. This is not ‘privacy stopping you from doing your job’ but ‘the lesser of two evils’.

I believe that the disciplines of infosec and privacy can and should work collaboratively and constructively. But in order to do so, privacy pros need to be sterner about emphasising the ‘rights and freedoms’ aspect of data protection, and infosec pros need to accept that their security expertise does not equate to competence in the privacy domain.

Thank you for reading

Lots of luv and respect,

Rowenna

(This was originally going to be an exasperated sweary rant, but it turned out quite moderate and civil. Apologies to anyone I have disappointed as a result.)

More about the differences between privacy and security

Discover what the other 90% of the GDPR is all about

10 Legitimate Interests Lessons for Marketers

Published 2019-02-11

1. Just because you’re interested, doesn’t make it legitimate.

2. You can’t use LI to avoid getting consent when you suspect the answer will be “No”

3. Whether LI can be applied depends on your own assessment of what you’re doing, why and how – which you will be expected to justify and defend.

4. LI is not ‘unclear’ or ‘ambiguous’; it requires thinking to be done and a decision to be made.

5. Publish your Legitimate Interests Assessments (LIA) if you anticipate/plan to reject objections to processing.

6. If a law says you have to get consent for a processing activity, then forget about LI. You can’t use it. Move on.

7. LI is only a valid lawful basis for processing personal data if you’re adhering to all of the principles. It’s not a loophole around compliance.

8. If your LIA is post-hoc rationalisation of something you won’t consider ceasing to do even though you suspect it’s a bit dodgy; then you wasted your time. Just make sure you have funds set aside to deal with complaints, regulatory action and reputation damage when you get found out.

9. The ICO is not responsible for your continuing professional development

10. No-one else can do your thinking for you

“We take your privacy very seriously”

Published 2018-11-11
“We take your privacy very seriously”

….says the intrusive ‘cookie consent’ popup which requires me to navigate through various pages, puzzle out the jargonerics and fiddle with settings before I can access the content I actually want to read on the site.

Here’s the thing. If your website is infested with trackers, if you are passing my data on to third parties for profiling and analytics, if your privacy info gets a full Bad Privacy Notice Bingo scorecard, then you DON’T take my privacy seriously at all. You have deliberately chosen to place your commercial interests and convenience over my fundamental rights and freedoms, then place the cognitive and temporal burden on me to protect myself. That’s the opposite of taking privacy very seriously, and the fact that you’re willing to lie about that/don’t understand that is a Big Red Flag for someone like me.

Read all of it…“We take your privacy very seriously”

10 Anger Management Tips for DP Pros

Published 2018-10-19

Grrrrr! Gah! Aaarrrggghhhh!

Sometimes it feels like an uphill struggle, bringing data protection good practice to the masses. Sometimes it feels like an vertical climb up a razor-wire-covered fortress turret while hostile archers fire flame-tipped arrows down at you from overhead. I confess that sometimes I am a little short on patience and tolerance (although I try hard not to let it show!) and I do spend quite a lot of my time with gritted teeth and clenched fists. I’m probably not the only one – which is why I wrote this blog post. Despite my naturally sarcastic tone, the sentiment is genuine – and hopefully contains at least one nugget of actual good advice.

Take care of yourselves, don’t be ashamed to reach out for help when things get on top of you, and remember that come the Zombie Apocalypse; your survival will not be based on how successfully you got an organisation to implement data protection!

Read all of it…10 Anger Management Tips for DP Pros

Meme Frenzy

Published 2018-06-14

At some point, I’m going to try and make a privacy notice delivered through the medium of internet memes. While playing about with the possibilities of this, I got totally sidetracked and ended up data-protection-ifying a load of popular memes for my own nerdy amusement.

Here are the fruits of my misdirected labour. I think I might need to get out more

Read all of it…Meme Frenzy

Privacy vs Security: A pointless false dichotomy?

Published 2018-06-14
Privacy vs Security: A pointless false dichotomy?Me, leaning on a pub table holding a mic with a screen behind me showing the title of my talk

This is the text of a presentation I gave recently during Infosec18 week. By popular demand (i.e. more than three people asked), I’m re-posting it here for a wider audience. I also intend to record it as a downloadable audio file at some point when I have some free time (hahaha, what’s that???). I took out the specific case studies for the sake of brevity, but I will post those separately as Part 2.

Read all of it…Privacy vs Security: A pointless false dichotomy?

Bad Privacy Notice Bingo!

Published 2018-05-16

Snark attack!

Having spent many, many hours reviewing privacy notices lately – both for the day job and for my own personal edification – I’m discouraged to report that most of them have a long way to go before they meet the requirements of Articles 13 and 14 of the GDPR, let alone provide an engaging and informative privacy experience for the data subject.

Because I am a nerd who cares passionately about making data protection effective and accessible, but also a sarcastic know-it-all smartarse, I created this bingo scorecard to illustrate the problems with many privacy notices (or “policies” as some degenerates call them) and splattered it across social media. Hours of fun.

Read all of it…Bad Privacy Notice Bingo!

Whose Decision is it Anyway?

Published 2018-05-14
Whose Decision is it Anyway?A hand emerging from a suit sleeve controlling the strings of a wooden puppet walking

Controller/Processor determinations

(a.k.a how a data protection anorak spends their leisure time)

Update: Sorry that the tool is not currently working – My supposedly ‘unlimited’ free Zingtree account has expired, and they want £984 a year for me to renew it, which I can’t afford. Currently looking for alternatives – if you know of one, hit me up! I’ll post a downloadable text version of the tool very soon.

Following a lot of pre-GDPR kerfuffle online about Data Controller/Data Processor relationships (and the varying degrees to which these are direly misunderstood), I spent a geeky Sunday night putting together a decision tree tool which should – hopefully – help people who are getting confused/panicked/deeply weary of the search for answers.

It’s not intended to be legal advice, it’s not formal advice from me as a consultant and it’s not guaranteed to be absolutely 100% perfect for every possible scenario. It’s designed for the low-hanging fruit, the straightforward relationships (like standard commercial supply chain) rather than the multi-dimensional nightmare data sharing behemoths one tends to find in the public sector.

Anyway, here it is. Enjoy. If you like it, please tell others where to find it. If you have constructive criticism (that’s not “oh you missed out this incredibly niche complex scenario that would only ever happen every 100 years”) please tell me.

The Tool

 

Here are also some useful links:

https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf

http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf

Who’s in Control?

Hello. I use privacy-friendly analytics (Matomo) to track visits to my website. Can I please set a cookie to enable this tracking? I’m afraid that various plugins and content I have on the site here also use cookies, so a ‘yes’ to cookies is a ‘yes’ to those too. Please have a look at my Privacy Info page for more info about these, and visit my advice page for tips on protecting your privacy online