Interviewed by Doug Austin of CloudNine, I rant about GDPR marketing

Among the out-takes on the virtual floor of our virtual video editing room are several clips of me interrupting interviews when people talk about the GDPR fines of up to 4% of global turnover. They are, I have to say, slightly embarrassing to watch as I lay into people to ask if they have something more constructive to talk about, and I apologise to them. They are not the real targets of what have, with some justification, been called my “GDPR rants”.

As I have observed here before, I have been known when moderating panels in the US to ask the audience to name the first thing that comes to mind when the GDPR is mentioned. Always it is the fines. It is time to move the discussion to the actual likely effect on businesses large and small, not ignoring the fines, but equally not implying that every organisation is at risk of being handed fines at the maximum level for the slightest default.

At Legaltech, I was invited to go and talk to Rob Robinson, Doug Austin and others from CloudNine. I don’t usually agree to such invitations from non-sponsors because they take me out of an already overflowing stream of things to do at Legaltech, but I have known Rob Robinson for many years and he gave me my first introduction to US eDiscovery writing. There was also an invitation to be interviewed by Doug Austin whose eDiscovery Daily Blog came top of the recent list of Top 60 eDiscovery Blogs and Websites for eDiscovery Professionals assembled by Feedspot (I wrote about it here) and I welcomed the opportunity to reach his wide audience.

We never actually got to the interview. I had just come from delivering one of my “rants” about GDPR marketing, and carried on with it at our meeting – to be fair, that was what they asked about.

A few days ago, Doug Austin sent me what is effectively a transcript of my rant. I generally reject written versions of spontaneous (as opposed to planned) discussions because one phrases things differently when speaking informally and when writing. The stream of consciousness outpourings were not quite as I wanted to be seen in print.

There is too much else going on for me to stop and rewrite it and, anyway, that would have seemed rude. Instead, I asked Doug Austin to make it clear at the top of the article that it was a rough transcript of our discussion, made a few minor corrections where either I had been misheard or really did repent of my choice of words, and authorised publication. It was published with the title Chris Dale of the eDisclosure Information Project: eDiscovery Trends 2018.

At one extreme we have good and authoritative people who, to my eye, have merely got that emphasis wrong; at the other we have what I am quoted as having impolitely called the “pig ignorance” of the many non-experts who have climbed on the GDPR bandwagon. There was, for example, a heavily-promoted tweet in my Twitter timeline recently for an outfit previously unknown to me who were touting their GDPR expertise; the first paragraph of their home page contained a gross error. There is another one whose get up and url are cunningly designed to look like a an official EU website; if you have to resort to such near-fraudulent means to gain an audience, the content is unlikely to be impressive

By chance, on the same day that Doug Austin released this interview, I came across a tweet from the respected commentator @PrivacyMatters (Pat Walshe) which echoed my own thoughts:

That lead me to something I had missed, a speech by the UK Information Commissioner Elizabeth Denham at the Data Protection Practitioners Conference on 9 April. Her speech included a section on enforcement which it is worth quoting from rather than merely linking to:

Anyway, I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.

Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.

It’s not just about fines though, is it? The GDPR has handed the ICO a whole new set of tools to motivate organisations towards compliance. Privacy by default and design, codes of practice, privacy seals, Data Protection Impact Assessments, accountability mechanisms, data protection officers …all these things – and more – form an integrated package.

All of them are necessary; none of them is sufficient on their own.

And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice.

Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data.

None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.


Elizabeth Denham’s speech in fact opened with a reference to Facebook and Cambridge Analytica. As I write, Cambridge Analytica is busy sending threatening letters to those who write about it, and Mark Zuckerberg of Facebook has been carefully running rings round some old people at the US Senate. Substantial litigation is threatened against more than one player here.

Let’s content ourselves with the observation that it is conduct of the kind alleged here which is likely to attract the highest level of GDPR fines. If that is at the top, and a minor defect in the wording of a company’s privacy policy is at the bottom, it becomes clear that there is a very wide range of actions and failures to act which will fall to be considered by the Information Commissioners of the EU (and, separately, of the UK after Brexit). To suggest that everyone is likely to face fines of up to 4% of their global turnover may give marketing departments the call to action headline they need, but it does not do justice to the very wide range of outcomes which are possible here or to the reality for most organisations.

Let’s take a parallel from, say, driving. Imagine a road safety campaign which was targeted  at those who are caught for the third time driving at 100 miles an hour in a built-up area, without tax, insurance or road-worthiness certificate while fuelled by drink and drugs. That is likely to pass right over the heads of the vast majority of drivers who would dismiss the campaign as being of no relevance to them. Meanwhile, in the last few days, an English journalist was whining on Twitter about being fined for driving at 36 mph on a rural road for which the limit was 30 mph. The tweet attracted a hail of complaints, not least because rural roads are the scene of most accidents. The audience for “marketing” against this sort of conduct is many times greater than that for the very serious offences.

The challenge for GDPR marketers is this: what can you say to that much wider audience about the services you can offer without waving the very big stick relevant only to a handful? Further, have you anything positive to say, any suggestions about how businesses might be better run, attract more customers and investors, and make more money, by initiating policies which comply with the GDPR?

You might get some idea from my recent interview with Hal Marcus of OpenText which focuses on the information governance opportunities given by GDPR compliance and on how the GDPR is “is forcing an overarching review and pointing up the need for a comprehensive strategy”.


About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Data privacy, Data Protection, GDPR, OpenText. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s