The DOBlog

Tag: web summit

  • A little bit of root cause analysis (Web Summit)

    One of the issues highlighted by Karlin Lillington in her article today was the fact that people who had not opted into mailings were receiving them and there was inconsistency between the format and content of mailings received, with some including an option to opt-out and others not.

    This is symptomatic of a disparate data architecture at the backend. Which is consultant speak for “they’ve got too many buckets".

    This is a classic Information Quality problem. My friend and colleague Dr Peter Aiken identifies the root cause of this as being the training received in Computer Science courses world wide which primes people to solve problems by building/buying another database.

    Based on very quick analysis conducted today with help from @orlacox (one of the new “women of IT” in Ireland who I’ve discovered thanks to #dws) the following sources and tools for email communications were identified as being in use by Dublin Web Summit.

    1. Contact Form 7 plugin on the website (which is running on WordPress). This page captures email addresses in the contact form. No information is given about uses for the data you provide on this form and there is no option to opt-in to receiving marketing messages from DWS or its associates. So… if you fill in that form they should only be responding to your question and doing NOTHING else with your name and email address. [the use of contact form 7 was confirmed by inspecting page source for the form]
    2. CreateSend. On the website there is an option to provide an email address to subscribe to their mailing list. This is processed using CreateSend. I’ll return this later for another point [the use of CreateSend was determined by an inspection of the page source]
    3. MailChimp. @OrlaCox received an email from the organiser of the WebSummit the header of which confirms it was sent via MailChimp.

    Fair Obtaining

    If anyone involved in Dublin WebSummit was to have taken contact details supplied via their contact form on the website to include in commercial promotional email marketing that is a breach of the Data Protection Acts 1988 and 2003 and SI336 which require that

    • Data be processed for a specified purpose and not for a purpose incompatible with the specified purpose
    • Marketing by email requires consent.

    It is not possible in this case to argue “soft opt-in” based on terms and conditions that are associated with booking for the event. There is no commercial relationship in this context that can be relied upon as “soft opt-in” consent.

    [What would I suggest as a learning: If you have contact form, ASK PERMISSION to add people to contact lists. Otherwise you HAVE NO CONSENT]

    The Two Bucket Problem

    DWS appears to have been using two bulk email platforms. The technical term I use to describe that kind of data management strategy is TBSC  (Totally Bat Shit Crazy). It invites variation in process (one platform having opt-outs built in to the message, the other not), inevitably leads to inconsistencies in data (persons loaded to both platforms may wind up being opted out on one but not opted out on another, the headaches of keeping data synchronised).

    It is symptomatic of the “jump in and get it done” culture that can be brilliant… if you have thought through the things that need to be done to get it done.

    Information, like every other asset in an organisation, has a well defined Asset Life Cycle. The acronym is POSMAD. This resource by my friend Danette McGlvray (who introduced me to the idea a number of years ago) explains it in detail.

    DWS seems to have jumped into the Obtain and Store phases without doing the Plan. So they wound up with two (or more) buckets within which they had to manage data.

    (As an aside, it would appear there may be a third bucket as the media registration appears to have been backed by Google Forms).

    [What would I suggest as a learning: This is MASTER DATA. You need to have a SINGLE BUCKET so you can control what data is coming in, consistently apply suppressions, consistently manage content and format of messages, and generally only have one ‘house’ you need to perform housekeeping on. Tools like MailChimp let you set up multiple lists that people can subscribe to. Use multiple lists. Not multiple tools. That way you have a “Single View of the truth” and won’t make an arse of managing your obligations under the ePrivacy Regulations and/or the Data Protection Acts]

    [What I would strongly advise: Apply the POSMAD framework to the sketching out of the platform you will build to execute and deliver. It will help you resist the temptation to throw tech and tools at the strategy without having a strategy. It will prevent you from implementing things that are TBSC]

    Safety in Harbor – Remembering that Mail List tools are Data Processors

    Every time you use an external mailing list service you are engaging a Data Processor. As part of that a Data Controller needs to pay attention to a number of things. Among them is the thorny issue of whether the data is leaving the EEA at any point and whether there is actually any lawful basis for allowing that to happen.

    The DPA doesn’t prevent Cross Border transfers like this. And it doesn’t make using a Cloud Service or Outsourced service illegal. It makes doing it wrong and without attention to detail something that could constitute an offence.

    Mailchimp is a reasonably good tool. One good thing about it is that it is Safe Harbor registered. This means that a Data Controller in the EU can send data to Mailchimp in the US without being in breach of S11 of the Data Protection Acts.

    CreateSend.ie is a company based in Co. Clare. However, CreateSend.com is the server that the data is written to if you register for a mailing list hosted by CreateSend.  That server is hosted in Charlotte North Carolina. So, data is going to the US. There may be a “chain of processors” in place here (CreateSend Ireland, CreateSend US). Either way, data is going out of the European Economic Area. So one would expect that one of the legal grounds for cross border transfer.

    • CreateSend does not appear to be registered for US Safe Harbor. (It may be that their registration is under a different name)

    A scan through the terms and conditions of CreateSend.ie indicates in Section 2.7 that the data provided to CreateSend is indeed passed to servers in the United States. But then it goes a little bit squirrely:

    you warrant that you have obtained the consent of the relevant individuals to the storage and transmission of their personal information in this manner.

    In other words, any organisation that uses CreateSend as their email marketing platform has to get consent from their subscribers to transfer personal data to the United States. Not having that  consent means any transfer is illegal under S11 of the Data Protection Acts

    There is no notice of or consent sought for a transfer of personal data to the US when signing up for that mailing list. I know. I’ve done it. What I got was a lovely pdf telling me the name, department, and organisation of every attendee at the conference.

    So… to get a list of everyone at the conference I don’t even have to attend the conference, I just need to sign up to a mailing list. That’s TBSC strategy yet again.

    But I digress.

    [A lesson to learn: When selecting an email marketing service provider, it pays to do due diligence and make sure that you have clear lawful bases for the processing you are proposing to do. Safe Harbor is a good thing to look for. Relying on consent is allowed, but you have to get the consent]

    Conclusion

    Dublin Web Summit had too many buckets that were filled up without any apparent thought to Data Protection compliance and how to manage it.

    A single email marketing platform, with a simple and compliant structure for transferring data outside the EEA if required, and a clearly defined strategy for using it effectively and in a compliant manner would have saved a host of problems headaches.

    The approach that has been taken would raise questions about how prepared DWS would be if audited or investigated by the Data Protection Commissioner.

  • Dublin Web Summit, Data Protection, Data Quality, and Brand

    The KoolAid is being quaffed in great quantities this week in Dublin. And, having run national and international conferences in the Data Protection and Data Quality fields, I have to respect the achievement of the organisers of the Dublin Web Summit for putting together an impressive event that showcases the level of innovation and thought leadership, and capability in web, data, and all things tech.

    Yes. About that “thought leadership”…

    Data Protection

    Today’s Irish Times Business Section carries a story by Karlin Lillington about things that have been happening with her personal data at the Web Summit. An event she is not attending and has not registered for but for which she:

    • is registered as an attended
    • is listed on the media attendees list
    • has had her contact details distributed to sponsors and companies attending the event
    • has had her details shared with a social networking application that has pulled data from her Facebook profile

    In addition, she highlights that a list of ALL attendees is being distributed by the organisers if you request it through their Facebook page, but there is no opt-out for being included on this list and nothing in your registration that informs you that this will be happening.

    Emails are being sent out without people having opted-in, and not every email that is being sent out has the required opt-out. And I suspect that that may be the tip of the iceberg.

    Karlin reports that there have been complaints filed with the ODPC. My twitter stream this morning confirms that there are a number of people who I follow who have complained about how their data has been used. Many of these people would be the kind of people who you’d like to see fronting the thought leadership and innovation in web and data stuff, and they are irked at how their data is being abused.

    The DPC apparently has had previous complaints about Web Summit and has engaged with them in an “Advisory Capacity”. In my experience working with clients who have been subject to Data Protection complaints and have been investigated by the DPC, that is the Data Protection equivalent of “helping the police with their enquiries”. Web Summit has been handed rope. They have been guided and advised as to what needs to be done to be compliant (in keeping with the gummy tiger provisions of Section 10 of the Data Protection Acts which require the DPC to seek amicable resolution first and to focus on encouraging compliance rather than punish breaches).

    Dublin Web Summit has chosen, whether through a deliberate decision or a series of ego-driven and ignorance fuelled errors of judgement to ignore the advice of the DPC and continues to act in a manner that flouts the Data Protection rules that (and here’s the kicker) are not ‘nice to have’ but are guaranteed under Article 16 of the TFEU and have been subject to a number of recent tests at Circuit Court and High Court.

    Basically this is a Data Protection cluster f*ck of the highest order that illustrates one of the key problems with the “Innovation culture” in Ireland and, on the part of Government, either a blatant hypocrisy or a sociopathic ability to hold multiple contradictory positions at once. We want to promote Ireland as a great place to do business with web and data. And we want to be seen to be a bastion of increasingly responsible governance and regulation (after all, we’ve learned the lessons of the financial services collapse right? That one where we had  a Regulatory regime that was of so light a touch it could earn extra pin money touting for trade along the canal.) But for feck’s sake, don’t let the LAW get in the way of the use of TECHNOLOGY.

    Dublin Web Summit has almost certainly breached the Data Protection Acts in a variety of ways. Given that many of those breaches would appear to have been taken AFTER the DPC had given advice and guidance on what not to do. So the Web Summit organisers might want to check section 29 of the Data Protection Acts (never used, but there’s always a first time).

    Data Quality

    Data Protection and Data Quality go hand in hand. Heck, the principles for Data Protection are referred to in Directive 95/46/EC (and a variety of other places) as “Principles for Data Quality”. But on a more practical level, the approach the Web Summit has taken to obtaining and gathering their data and putting it to use has created some Data Quality problems.

    Take Karlin for example.Her contact details have been included on a media contact list for the event, touting her as someone from the media who is attending. A variety of sponsors and exhibitors at the event have apparently contacted her looking to meet at the conference. I’m guessing they’re a bit surprised when a leading tech journalist tells them she isn’t attending the event and won’t be able to meet with them.

    Also, eyeballing the “media list” I’ve found:

    • Duplicate entries (suggesting the list was created from multiple sources)
    • Organisations listed that might not be media organisations but are possibly service providers interfacing with media (new media/old media)… so VENDORS.

    The categorisation of organisations is hair splitting on my part, but the duplicate entries on a list that was being circulated to sponsors and exhibitors is indicative of a lazy and careless approach to managing data.

    How many of the people on the list are actually attending? And if you are counting the number of people attending from an organisation, are you allowing for duplicate and triplicate entries? If you are a marketing manager from a company who is ringing all these media people only to be told that they are either not attending or that they are not actually covering the tech aspects of the event but are (heaven forfend) actually exhibiting at the event yourself, how much will you trust this list next year? Will you be happy to pay for it?

    Never mind the quality, look at the tech!!

    Brand

    And this is where we come to the brand aspect of all of this. The Web Summit has made basic mistakes in Data Protection compliance even when presented with advice and guidance from the DPC. With regard to their Presdo social networking application, there are examples of it being used in data protection compliant ways (Karlin cites the le Web conference which used the same application but presented people with a code they could use to confirm their consent to their personal data being accessed and shared).

    But Dublin knows better. Dublin is the go-getter innovator. Rules schmules, Indians Schmindians.

    Which is a mantra that has disturbing echoes in the recent history of the European Economy. So it is a mantra we should, as thought leaders and innovators, be trying to distance ourselves from as much as possible. By showing how we can design privacy into everything we do in web and data and pushing the innovate envelope in ensuring balance.

    But here’s my fear. EI and the Government don’t get this. I am not aware of ANY EI incubator programme [Brian Honan informs me that Blanchardstown and Dundalk IT have had him in to talk to programmes] that provides training or briefings on Data Protection (Wayra does. I recently provided some content to help).

    My company has submitted proposals to various government backed training programmes for On-Line business, and I have got letters back telling me that Data Protection is not relevant.

    Everyone seems happy to touch the hem of the prophets of the Web and drink hungrily from the Kool Aid, repeating the mantra “Rules Schmules, Indians Schmindians”. But it is worth remembering the origins of the phrase “Drinking the Kool Aid” (hint: it didn’t work out well for the first group to do it).

    The Data Protection world globally is in a state of rapid evolution. Those who ignore the help and advice of Regulators invite penalties and brand damage. It  is time that the thought leaders of our web economy stepped back and actually thought about how they develop their brand and build trust based in the personal data economy.

    Koolaid from the Floor [an update]

    I made the mistake of watching twitter streams from the Dublin Web Summit. The KoolAid was gushing. Lots of great ideas and interesting innovation but not a single person seemed to be addressing the gorilla in the room that is Data Protection and Privacy.

    Yes, Social Engagement is important. Yes it is important to build trust and engagement with your brand. But as W.Edwards Deming famously said:

    You can’t inspect quality into a product, it’s there from the beginning.

    In other words, if you don’t start off by respecting your customers and their privacy rights, you will leave a bad taste in your customer’s mouths and sour your brand.

    That’s the weedkiller in your web branding koolaid. Drink with care.