A little bit of root cause analysis (Web Summit)

One of the issues highlighted by Karlin Lillington in her article today was the fact that people who had not opted into mailings were receiving them and there was inconsistency between the format and content of mailings received, with some including an option to opt-out and others not.

This is symptomatic of a disparate data architecture at the backend. Which is consultant speak for “they’ve got too many buckets".

This is a classic Information Quality problem. My friend and colleague Dr Peter Aiken identifies the root cause of this as being the training received in Computer Science courses world wide which primes people to solve problems by building/buying another database.

Based on very quick analysis conducted today with help from @orlacox (one of the new “women of IT” in Ireland who I’ve discovered thanks to #dws) the following sources and tools for email communications were identified as being in use by Dublin Web Summit.

  1. Contact Form 7 plugin on the website (which is running on WordPress). This page captures email addresses in the contact form. No information is given about uses for the data you provide on this form and there is no option to opt-in to receiving marketing messages from DWS or its associates. So… if you fill in that form they should only be responding to your question and doing NOTHING else with your name and email address. [the use of contact form 7 was confirmed by inspecting page source for the form]
  2. CreateSend. On the website there is an option to provide an email address to subscribe to their mailing list. This is processed using CreateSend. I’ll return this later for another point [the use of CreateSend was determined by an inspection of the page source]
  3. MailChimp. @OrlaCox received an email from the organiser of the WebSummit the header of which confirms it was sent via MailChimp.

Fair Obtaining

If anyone involved in Dublin WebSummit was to have taken contact details supplied via their contact form on the website to include in commercial promotional email marketing that is a breach of the Data Protection Acts 1988 and 2003 and SI336 which require that

  • Data be processed for a specified purpose and not for a purpose incompatible with the specified purpose
  • Marketing by email requires consent.

It is not possible in this case to argue “soft opt-in” based on terms and conditions that are associated with booking for the event. There is no commercial relationship in this context that can be relied upon as “soft opt-in” consent.

[What would I suggest as a learning: If you have contact form, ASK PERMISSION to add people to contact lists. Otherwise you HAVE NO CONSENT]

The Two Bucket Problem

DWS appears to have been using two bulk email platforms. The technical term I use to describe that kind of data management strategy is TBSC  (Totally Bat Shit Crazy). It invites variation in process (one platform having opt-outs built in to the message, the other not), inevitably leads to inconsistencies in data (persons loaded to both platforms may wind up being opted out on one but not opted out on another, the headaches of keeping data synchronised).

It is symptomatic of the “jump in and get it done” culture that can be brilliant… if you have thought through the things that need to be done to get it done.

Information, like every other asset in an organisation, has a well defined Asset Life Cycle. The acronym is POSMAD. This resource by my friend Danette McGlvray (who introduced me to the idea a number of years ago) explains it in detail.

DWS seems to have jumped into the Obtain and Store phases without doing the Plan. So they wound up with two (or more) buckets within which they had to manage data.

(As an aside, it would appear there may be a third bucket as the media registration appears to have been backed by Google Forms).

[What would I suggest as a learning: This is MASTER DATA. You need to have a SINGLE BUCKET so you can control what data is coming in, consistently apply suppressions, consistently manage content and format of messages, and generally only have one ‘house’ you need to perform housekeeping on. Tools like MailChimp let you set up multiple lists that people can subscribe to. Use multiple lists. Not multiple tools. That way you have a “Single View of the truth” and won’t make an arse of managing your obligations under the ePrivacy Regulations and/or the Data Protection Acts]

[What I would strongly advise: Apply the POSMAD framework to the sketching out of the platform you will build to execute and deliver. It will help you resist the temptation to throw tech and tools at the strategy without having a strategy. It will prevent you from implementing things that are TBSC]

Safety in Harbor – Remembering that Mail List tools are Data Processors

Every time you use an external mailing list service you are engaging a Data Processor. As part of that a Data Controller needs to pay attention to a number of things. Among them is the thorny issue of whether the data is leaving the EEA at any point and whether there is actually any lawful basis for allowing that to happen.

The DPA doesn’t prevent Cross Border transfers like this. And it doesn’t make using a Cloud Service or Outsourced service illegal. It makes doing it wrong and without attention to detail something that could constitute an offence.

Mailchimp is a reasonably good tool. One good thing about it is that it is Safe Harbor registered. This means that a Data Controller in the EU can send data to Mailchimp in the US without being in breach of S11 of the Data Protection Acts.

CreateSend.ie is a company based in Co. Clare. However, CreateSend.com is the server that the data is written to if you register for a mailing list hosted by CreateSend.  That server is hosted in Charlotte North Carolina. So, data is going to the US. There may be a “chain of processors” in place here (CreateSend Ireland, CreateSend US). Either way, data is going out of the European Economic Area. So one would expect that one of the legal grounds for cross border transfer.

  • CreateSend does not appear to be registered for US Safe Harbor. (It may be that their registration is under a different name)

A scan through the terms and conditions of CreateSend.ie indicates in Section 2.7 that the data provided to CreateSend is indeed passed to servers in the United States. But then it goes a little bit squirrely:

you warrant that you have obtained the consent of the relevant individuals to the storage and transmission of their personal information in this manner.

In other words, any organisation that uses CreateSend as their email marketing platform has to get consent from their subscribers to transfer personal data to the United States. Not having that  consent means any transfer is illegal under S11 of the Data Protection Acts

There is no notice of or consent sought for a transfer of personal data to the US when signing up for that mailing list. I know. I’ve done it. What I got was a lovely pdf telling me the name, department, and organisation of every attendee at the conference.

So… to get a list of everyone at the conference I don’t even have to attend the conference, I just need to sign up to a mailing list. That’s TBSC strategy yet again.

But I digress.

[A lesson to learn: When selecting an email marketing service provider, it pays to do due diligence and make sure that you have clear lawful bases for the processing you are proposing to do. Safe Harbor is a good thing to look for. Relying on consent is allowed, but you have to get the consent]

Conclusion

Dublin Web Summit had too many buckets that were filled up without any apparent thought to Data Protection compliance and how to manage it.

A single email marketing platform, with a simple and compliant structure for transferring data outside the EEA if required, and a clearly defined strategy for using it effectively and in a compliant manner would have saved a host of problems headaches.

The approach that has been taken would raise questions about how prepared DWS would be if audited or investigated by the Data Protection Commissioner.

Comments

2 responses to “A little bit of root cause analysis (Web Summit)”

  1. Chris avatar
    Chris

    Daragh

    The Safe Harbor listing for Mailchimp answers NO to the question:
    “Do You Agree to Cooperate and Comply with the EU and/or Swiss Data Protection Authorities?”

    Most other US email vendors like Constant Contact and Cheetahmail have answered Yes, with the exception of ExactTarget.

    Createsend is a whitelabel of Australian firm Campaign Monitor who have servers in the US and Oz. Legal entity name is FreshView PTY Ltd.

    Thanks
    Chris

    1. Daragh avatar

      Chris
      Thanks for the info. Technically it doesn’t really matter if mail chimp cooperate with EU DP authorities. They will always focus on the data controller first and it up to your contractual arrangements what recourse the DC has with the service provider.

      That said, when faced with a choice between a provider who will cooperate and a provider who won’t it can boil down to commercial decisions: you get what you pay for.

      Regarding the info on createsend, that just adds another layer of complexity to the controller/processor relationship and to the cross border transfer questions.