All weekends, holidays, and shore leave are cancelled until the summer due to GDPR. And I’m loving that. Supporting agencies and software developers to adopt the principles of privacy by design, to audit their data storage and flows, and to improve documentation and transparency is far more enjoyable than it should be. It is the single most transformative process I have seen in twenty-one years of working on the web, and the magic ingredient is not the code. It’s the person doing the pitch. By being positive, encouraging, and inspirational, you create evangelists who go on to do the same.
That’s not to say that there isn’t a lot of rubbish out there, which I choose not to dignify. I warn people of what to look for and how to recognise the worst of it, but I don’t allow to my public approach to be defined by anger and bitterness. I firmly believe in hating the game, not the player.
Even that being said, last week I received an email that was so appalling in every way it simply had to be called out. It went like this.
Where do we even start.
Do we start with the organisation itself – digital solutionists whose raison d’etre is that the fundamental processes of law, governance, and policymaking can be subverted by mass emails and petitions.
Do we start with the cult of the crowd – the notion that budgeting and planning aren’t necessary when you can beg £1 off enough people.
Do we start with this organisation’s view of data protection and privacy law as being about big business (they use that pitch a lot: what they call “big business”, I call the people who resource properly and show up) and, by inference, its applicability to groups which are not big business are an administrative oversight.
Do we start with their view of making sure their operations do not “break the law” – a subtle Americanism which is grounded in conflating the civil statutes of privacy and data protection with the criminal law of courtrooms and judges.
Do we start with a presumably grown woman wanting a pat on the head for “I’ve got spreadsheets, I’ve got to-do lists, I’ve colour-coded everything” in a professional context.
Do we start with the self-infantilisation of working “without a big legal department”, repeated as not having a big team of tech people “like Google or Facebook”, when only 10% of the GDPR compliance process, at best, requires a lawyer.
Do we start with the request for donations to fund “top legal advice” and “state-of-the-art new tech” – again, none of which are required for healthy GDPR compliance.
Do we start with the closer, “Please will you chip in to fund the legal experts and the technology to help keep 38 Degrees legal?”, an open admission that the baseline legal compliance it requires to function as a business is something which they have not budgeted or planned for.
Do we start with them genuinely not understanding that organisations that work with law and policy should not send out fundraising emails revealing a profound misunderstanding about law and policy.
Do we start with the implication that they weren’t following existing data protection and privacy law and that’s why they’re scrambling to catch up, one quid at a time.
Do we start with their admission that they believe they shouldn’t have to run their business like you run yours.
Or do we simply save ourselves the aggravation and put this whip-round on a plinth as the pinnacle of slactivism and digital solutionism.
Yes, let’s do that.
Let’s hold it up as the organisational suicide note it is: an admission that digital solutionists who claim to be able to make things happen by magic and by clicks are the last people you should trust to take meaningful action on laws and policy.
We are people of enormous power and influence over the web. I empower digital professionals to use that power wisely. As a tech policy and regulation specialist, I educate the makers of the web on the policy issues which impact their work, inspire communities to participate constructively in the regulatory sphere, and represent the tech sector in the advocacy processes which shape the web.