Dodgy Data Distraction

You have to love the Daily Mail. They do love a scare story. Yesterday it was your pension data being sold for 5p to unscrupulous cold-callers by allegedly dodgy data companies. Shock horror, we will never be safe in our beds again!

I caught up with the story on the Today programme and heard Chris Graham, the Information Commissioner himself, living up to my nickname for him of Genghis Khan. He was threatening immediate investigations into B2C Data, the company the Mail outed, with his usual £500k fine and a bit of decapitation if the guilty were found guilty.

But just hang on a cotton picking minute. The accusation here was that personal financial information was being passed on (sold) without the knowledge of the individuals concerned. Well the B2C website isn’t exactly hiding its activities under a bushel, Mr Daily Mail. Their website boasts of their 38m strong database and suggests that it has been compiled from a large number of syndicate partners.

So this is not necessarily dodgy and that is what the Daily Mail, the Today programme and the man in the street fail to realise. Every time we apply for something...a mortgage, a phone, a credit card or even a holiday...we freely give lots of information, and somewhere in the small print will be a box to either tick or untick talking about sharing that data.

It’s the junk mail box if you like. You are opting in if you tick it to agree and opting out if you tick it to disagree. And whether you opt in or fail to opt out matters.

All email data to consumers ought to be opt in, by law I believe. Genghis will know this. If you agree to receive emails, lo and behold you will receive emails. Your address will be sold to all and sundry for a few pence. Mine seems to be sold to Viagra salespeople and purveyors of gentlemen’s entertainment but that might just be spam. There is a difference between unsolicited marketing communications and spam you see. One you have agreed to, the other you haven’t.

So, just what are the Daily Mail objecting to here? If B2C are selling data without the required permissions/opt-ins from their syndicated partners, everyone will be in trouble. I am not saying it doesn’t happen, because it does, but the real charlatans are not trumpeting their wares on a web site in my limited experience.

I am afraid the much more likely scenario is that this is all essentially above board. Companies like B2C amalgamate data from a variety of sources and if you as an individual appear on their database it will be because you gave your information to one or more of those sources. If those sources are legitimate they will have asked you a question about selling your data on and you will, perhaps unwittingly, have given them permission to do so. It may have been asked sneakily, it may have been an auto-ticked box on a web form that you failed to notice, but it will have been done.

So what data are they likely to have? Well, basically anything you have ever filled out on a form applying for something. Name, address, phone number, spouse, number of kids, email, mobile and middle name for sure. Salary, job title and number of years in your job. Probably. Nothing startlingly private. Ok, I know it is not stuff that you want published in the Daily Mail, but it is not really doing you any harm appearing on a database, and remember, this information is really only going to be used to select you to receive a phone call or email.

A marketing database is a prospect list, and someone trying to get you to unwisely take your pension now in cash (the threat the Mail was highlighting) will have used your salary to bracket you. He/she earns above X so he/she will likely have a pension of X so is worth a call. Or he/she is this age and earns that, so he/she is a target. Every piece of information they have on you is a selector, and really nothing else. And companies like B2C charge by selection.

The 5p the Mail quoted probably won’t get you a lot more than email, name and postcode. If you want the detailed information, you would pay more. And this information has been on the market for years, both legally and illegally. No doubt, as the Mail says, some of this information ends up in the hands of criminals, but I am not sure you can necessarily blame B2C for that.

This needs investigating of course, but if the accused company have been aggregating data from multiple sources legally, making sure that the opt-ins and outs were all done properly by their syndicate partners and then cleansing and managing their database correctly, I hope they sue the backside off the Mail.

Data is a very misunderstood commodity. We all create it and give it to people without really thinking about what we are doing. As a marketer, I want your email address and your permission to use it. In B2B, my field of expertise, there is much less regulation on this sort of thing but I still want your permission, tacit or proactive, because the communication is more rewarding that way.

The aggregation of business data is every bit as sly as the consumer stuff. For instance, Companies House happily sells its data on every business registered with it for a nice fat fee. Then the data companies start adding to this basic registered address and directors info by overlaying directory data to get trading addresses and phone numbers. Maybe some research will be done at some stage to pick up some contact names and bingo, you have a list.

You may not realise that you gave your data away. You may have been slightly tricked into not noticing the box which would have stopped it all. But you have done it dozens of times. We are all on hundreds of different lists. Just one example you probably do not realise, the Bounty rep who called on you or your partner whilst you were recovering from the birth of your baby. They gave you some nice freebies and took some information off you, and that information is one of the most valuable data sets in the country. New parents are an easy touch you see, like prospective pensioners. I wonder if the Mail will investigate that?

The moral of all this is that it is never good to give your data away. Find the box if you are filling out a form and find a responsible data security and recycling professional if you disposing of any old computers! Simples.

One of our laptops is missing!

If you lost your laptop this morning what would you be worried about?

It is a good question, isn’t it? Inconvenience springs to my mind. How long would it take to get a new one sorted out? In the office, IT could probably sort me out with an old desktop. I could log on to the network but most if not all of my documents are on my own hard drive. I am not great at saving to the shared drives. 

So it is going to be a mess.

Not to mention the embarrassment of admitting it. And reporting it. And just how am I going to do that presentation on Thursday with no laptop? Which incidentally I have to re-write because the file was only saved on the laptop. No backups.

And then I realise something else. Lots of things are on that laptop. The staff budget for a start. A lot of salary information, even National insurance numbers. That big confidential contract. I saved that to the hard drive so that I could go through it one last time over the weekend. Oh and I used it to do my personal banking...what about my own account details?

Scary isn’t it? I have never lost a laptop or had one stolen but I know lots of people who have. And of course many a data breach has been caused by this sort of thing. Stolen laptops give up their secrets in the wrong hands.

And yet, guess what? When we change our laptops, do you give a second thought to the old one? I have given mine back to IT loads of times, and never worried about it at all. It was safe, in the hands of the professionals.

Redundant things are forgotten about. You have your new toy and the old one gets tucked away somewhere. In the old storeroom with that broken chair, 3 old desktops, that old server, the table that used to be in the conference room, an old projector. When we replace the accounts PC’s in April we will think about having a clear out.

And so the risk calculator rises up into the red right there. We have company assets, all neatly recorded in a register by the financial controller, but he has no idea where each one is. It is just within the company somewhere. He will only be told if it is disposed of. And the person responsible for company data, the nominated data controller, is not worrying about stuff in the IT store. It is safe enough. No one ever goes in there.

So life goes on. You replace the accounts PC’s and a fax machine in the sales office dies. The store is quite full but everyone is flat out rolling out Windows upgrades. Clearing out the storeroom is not a priority.

And then the board approves the new budget and you can replace all the laptops, get those new servers and upgrade the mobile phones. The whole team are flat out on procurement, working to a deadline, and young Damian is told to clear out the storeroom. Get someone in Damian; recycle like it says on the company website. ACME Widgets PLC support the environment.

Damian is a willing lad, of course. Bright too. He had his NVQ in IT and everything. He has a word with the boss to check his brief and does some research. There are rules. You cannot just dump this stuff, and you need to think about the data.

And this is where it all goes Pete Tong of course. It is now down to luck who Damian rings and what he is told. If he is the conscientious sort, he might do ok, but if he is just a box ticker, and if the boss expects to get his storeroom cleared for free, ACME Widgets could be about to lose more than one laptop. They could be about to help the criminals load them into the van. And they would be none the wiser until they hear the Mongol hordes ride into the car park and see Genghis Khan leap out of the saddle, scimitar in hand.

Ironic really. Leaving one laptop on a train is careless, giving 20 to Arthur Daley is negligent. One allows you to claim on the insurance, the other gets you a £500k fine. But which do we actually worry about most?

I once had an employment contract which stated that I must not leave company property in the boot of my car. They meant the laptop. Now you could add in the Smartphone I suppose. They were intent on taking disciplinary action if negligence allowed a theft. I am sure someone in HR is writing a clause or two about bringing your own devices into work these days, and using the company wifi to do all sorts of things that might cause a data breach. Meanwhile, down in the storeroom, Arthur Daley is picking up another load of redundant IT equipment for free.

It’s not as if people have not been fined for this sort of thing. The deterrent is there. But it does not happen enough to worry anyone. The threat is not as ‘real’ as someone breaking into your car and stealing your laptop.

We all carry our data around with us and theft or just plain misplacement is a daily problem if, like me, your brain is addled with age. I can barely remember my name, let alone where I put my phone so you can see the problem. But what has to happen to raise the awareness of what can happen when we throw things away?

For you sake, I hope it is not a £500k fine.

PS

Did you hear Genghis on the radio this morning? The Daily Mail have done an expose on pension data being freely available on the dodgy deals front and Chris Graham rolled up on the Today programme threatening beheadings and £500k fines to all and sundry. There was a huge assumption made that all the data involved had been collected illegally. 

That may well be true but the story the journalists should be following up is how this data is collected and what permissions are being granted by the consumer at the time. For instance, a lot of the data was allegedly mortgage application data. If a box has been ticked (or not unticked) to say the data can be used for marketing purposes, it is not illegal data and it is just another Daily Mail scare story.

More on this subject another day.

To Dither or not to Dither

Dithering is not productive. If you have a decision to make, make it, clearly having given it due consideration first, but it cannot take forever. And seek empowerment for goodness sake. It is an overused word in business these days, but we have to be allowed to use our commonsense. Most issues concern finding the right balance between risk and reward, and with clear guidelines most of us are able to see the wood for the trees.

Now you may be thinking that poor old Hugh has been plagued by ditherers in recent days. Well yes and no, really. I usually am one way or another because I have a sales function to perform and the time between offering my wares and getting a yes or no is often a frustrating one. I don’t get why it takes so long sometimes because it is not...it really is not...rocket science.

However, the customer is always right. You take as long as you like. But actually what caused me to put finger to keyboard right now is the idea of risk and reward being at the crux of the matter with every business decision.

The risk can be the cost. This is going to cost me £100 and the reward is that pile in the corner of the office is going to disappear. Sustainability will have been supported and my data will have been dealt with, leaving me with the paperwork to prove it and a warm feeling of indescribable joy.

It’s often the cost that causes the dithering of course. Oh the boss won’t like that at all, having to pay £100 to get rid of 3 old PC’s, that broken kettle and those two old phone handsets. There is no budget for that and if head office finds out, heads will roll for sure. In my experience there is much more dithering over £100 than there ever is over £1,000.

£100 is a decent meal out for you and the other half, with wine. It’s a trip to the cinema and a take away after. No popcorn though, popcorn is ruinously expensive in my experience. It’s almost two thirds of two adult tickets to see the mighty Arsenal lose to Monaco. It’s a year’s subscription to Netflix. It is not a fortune.

Quite often we get asked to take away some broken desks, or chairs, or cupboards along with our usual. And we charge for it. No one seems to mind about that too much, because we are doing them a favour. It is obvious waste and there is no perceived value. But for some unknown reason just because something has a plug people dither.

Oh do you know what? I am always quite excited when I see that someone has a pile of non-WEEE rubbish that they would absolutely love us to take as well as their WEEE, because it means instant gratitude. They could have found someone else to get the real rubbish but it would have cost them in time and hassle as well as cost, so all of a sudden we are the good guys.

But suggest that the aforementioned broken kettle, clapped out PC and old phone handsets are rubbish as well and will be charged for accordingly and there is a sharp intake of breath. The boss won’t like that.

Well the boss won’t like being fined when your database gets stolen either. He won’t like it if he gets caught trying to slip business waste into the local council tip either. There are lots of things he won’t like that £100 prevents him from suffering these days. So surprise the boss. Tell him you have saved the company database from breach, tell him that you have operated within WEEE regulations and the data protection act and have the paperwork to prove it. And tell him that it only cost £100. He will be dead chuffed. Promise.

eReco – Your Get of Jail free card

Who is responsible for your data?

It’s a good question. Ultimately it is a business responsibility regulated by law under the data protection act and once the EU gets around to it the responsibility will sit firmly with the directors of the business. Even if they delegate it to someone else, they can be sued, fined, jailed or even decapitated if Genghis Khan gets his hands on them.

And that is in addition to fines levied against the business.

I think that focuses the mind quite nicely. Once this becomes law (and we are past the expected ratification date, so any day now Mr Farage!) apathy is going to get quite dangerous, and once the directors are firmly in the firing line things tend to get done.

But what things?

Obviously, here in eReco land, we are going to focus on disposing of redundant IT equipment because that is our wont. There are lots of other things to do but we aren’t directly involved in that so yah boo sucks, sort it out yourselves.

So, you have a computer to get rid of and it has a hard drive, what should you do?

In simple terms, you have two different legal responsibilities.

Firstly to dispose of the equipment according to WEEE regulations. Regardless of what you call it, or any residual value, this is waste and whatever you do, you need to think about waste transfer notes and how the item is going to get to a WEEE regulated recycling facility. If you do not get a WTN you are breaking the law and if your equipment does not go to a WEEE facility and ends up somewhere naughty, you have also broken the law. So, if you give it to someone to dispose of for you, make sure you get the right paperwork and be sure they are going to do things properly. If not, those directors are in the firing line.

Secondly, you are responsible for any data on any hard drive disposed of. There is no limit to that responsibility. You remain responsible. Even if eReco collect it from you, the data is still ultimately your responsibility. You would have to prove that you have engaged a data secure service provider and that their processes met your duty of care to protect your data.

If something went wrong and there was a data breach, you would still be in hot water, because the data remains yours, and you would need to prove to Genghis Khan, or our friendly neighbourhood ICO Chris Graham, that you acted responsibly.

Now all eReco customers will have no problem proving this. We provide Waste Transfer Notes, asset lists and certificates of data destruction, and if something goes wrong we have liability insurance up to £10,000,000. Our collections are secure, with security cleared personnel, and our facility down here in East Grinstead is also secure. This is certified and checked, without warning, by ADISA, and we are also approved by DIPCOG to work in the MoD/Government space.

All of which the truly responsible client will have checked out in advance. This is the important stuff you see...you need to show due diligence. And then do you know what actually keeps the MD out of choky? Yes that’s right, it’s the boring old paperwork!

Say your data ends up on eBay. This happens. A lot. So no pooh poohing me please. As General Melchet said in Blackadder 4, ‘did he pooh pooh you Blackadder?” I won’t have it. This is important stuff so no giggling at the back.

Once the data breach is crystal clear, you are in deep doggy doo’s. Genghis, however he finds out about it (and he will, because legally, if he doesn’t find out any other way, you have to tell him or face even graver consequences) will start asking some difficult questions. And the boring old paperwork which everyone takes for granted and does not give too much importance, becomes absolutely crucial.

First things first, Genghis would want to see what you asked us to collect. However you do it, by email or by filling in one of our forms, we keep a record of what you asked us to collect. This is important in a minute, so tuck it away at the back of your mind. Then we give you an estimate, and you accept this estimate, and we confirm a collection date.

On said date, we rock up and get the stuff. We bring with us a Waste Transfer note, which says we collected this sort of stuff from this address on said date.  Everyone signs and you get a copy. We also have consignment notes. This details the sort of materials being transported, whether they are hazardous or not, and gives full addresses and licenses for both parties. Not very interesting but all legal proof and approval for what we are doing.

Then we bring the stuff back here. We track it in, noting any serial numbers but also adding an identity number of our own, so that we always know where it is in our system. From this we produce an asset list. It should match the list you asked us to collect, of course. If you asked us to collect 10 PC’s we tell you that we have collected 10 PC’s and the serial numbers are XXXXXX. You now have a comprehensive audit trail of disposal from your request to us, through transportation by registered and licensed supplier to arrival at a registered, accredited and approved facility. In other words, you have proof of what you have done and Genghis loosens his grip on your throat, for the time being at any rate.

But before we move on, a reality check. I have said in previous blogs and always say to clients on the phone, tell us if you have more to collect than you have said. 

Partly this is because we want to charge you more. I am just like that, I like to get paid. Partly it is because I know what the vehicle can take in terms of weight and quantity of stuff, and we don’t want to overload it. But mostly because it is dangerous if you add something without telling us. Because the audit trail is potentially broken. In our case, we would pick it up when we compile our asset list, but legally PC XXX has magically left your care and arrived with us. You have not asked us to take it. What if you do not even know it is gone? Genghis might well slap you around a bit because of things like that.

However, let’s leave that side of things and get back to business. So we have your stuff and you have an audit trail which will be added to when we erase your hard drives and give you a certificate to prove we did it. At this point you are pretty much done. You can kneel before Genghis, carefully watching the scimitar in his hand and say ‘it was them, Guv’ if anything goes Pete Tong. We would end up in the dock together, because it’s still your data, but having employed a certified supplier and ticked all the paperwork boxes, it would take a very unreasonable Genghis to punish you, and our insurance would hopefully cough up.

Please note, this is all hypothetical, we have never had a problem and, touch wood, never will. We do things right. And going back to a well-worn theme of this blog, this is why we charge for our services. Even if we do agree a kit covers costs deal, which we do if you are recycling gold plated laptops, these costs are deducted before we share any revenue with anyone. Because we think this is the really important stuff. It’s the stuff that keeps your MD out of jail.

And you may think that is taking things a bit far. But take a look at the ICO’s hall of shame when you have a moment and imagine those breaches when director responsibility comes in. It is very tempting to look at IT equipment recycling as a cost, but I have always maintained that it is risk management.

Do it right, for your director’s sake.

(Don’t) Take A Chance on Them

Business is business, isn’t it? Whether you are large or small, the objectives are still fundamentally the same. Sell stuff, pay your bills, pay your staff and make some profit. Not necessarily in that order of course, but you get my drift. The bigger you get the more divorced the business gets from reality I suppose. There are too many layers and no one person can see the whole picture. So there are more policies and procedures.

But policies and procedures are forced on small businesses too, normally via legislation. However the smaller you are, the more you can duck and dive, claim an exemption, or avoid the bright spotlight of public scrutiny. I mean, if you are HSBC and you allegedly help your biggest customers open a load of Swiss bank accounts and avoid tax, you reach the front pages and hear yourself on the news bulletins. But if you are East Grinstead Widgets Ltd and you get one over on the taxman you are probably telling your friends in the pub and getting an extra round in.

What I am getting at is that the attitude is different. The small, lean machine that is your average SME has a much firmer, more personally responsible hand on the tiller. Decisions are made by the main men, quickly but confidently. Yes, they make mistakes, but they are the main men, so no one is getting hung out to dry. In your bigger business, responsibility is spread around and although the attitude might be set from the top down (One cannot imagine an Alan Sugar business being the most politically correct, for instance) the procedure is commonly followed, often slavishly. The things that press the decision making buttons are often the most different of all.

IT waste often highlights those differences. If you are big you have more waste to dispose of. You have to have the means to get rid of it, so you have a better, more regular relationship. Costs matter, of course they do, but so does service. So does reliability. So does the ability to get ones client out of a jam. These are often indefinable things that mean a lot to the person charged with getting shot of stuff. It is no use saving on getting rid of those 50 laptops because someone will do it for free if they don’t also take the broken desks, the old monitors, that pile of cardboard, all the cables and wires and those three broken printers. And actually you need someone to go up the sixth floor to get those servers and the lift is broken again. And you need to trust the paperwork.

I am not saying those things are less important to your average SME, but the risk management aspects of our service are less resonating when your hand is on the cheque book. Having a pile of old junk cluttering up an office or warehouse is less distressing when it is your junk and the staff committee are not going to exist, let alone moan about the working environment.

So in short I am saying to the harassed middle manager of a big business we tend to be a Godsend, a problem solver and a valued service, whilst to a SME we can be seen as an irritating cost the company could possibly avoid, if it bent the rules a little, or turned a blind eye to some of the things they were being told, remaining resolutely ignorant of what should be done.

They are always tempted to listen to ABBA. ‘If you change your mind, I’m the first in line, take a chance on me, honey I’m still free.’ But ABBA broke up, a double divorce, a messy break down that hurt everyone big time.

We keep our clients out of the divorce courts, or the clutches of the ICO, that Genghis Khan of regulators. And along the way we lend a hand if we can, whilst keeping your old kit out of landfill to boot.

Just because you are a SME, you don’t have to take risks.