Continuing my thread from early October on this theme, I thought I would share another example.
This morning I received this email (lightly edited for the protection of the perpetrators – they should not be publicly humiliated – yet!).
Dear all, We are currently checking that all of our contact detail and email preferences are up to date in line with the changes to GDPR regulations last year. We know that many of you will have completed the branding and engagement document last year, but we want to ensure our records are up to date. Please may you fill out the attached form so that we can update our spreadsheets – it should only take a few minutes.
The form, two sides of A4 covering 23 data points about the relationship, both ASKS for information the organisation already holds AND, despite the description, PROVIDES information that we, the recipients, might wish to use (though no mention is made of that in the email).
So, to get this right…… in the name of GDPR the organisation is asking me to give it again in a word document data it already holds in order that it can verify the accuracy of the data it holds in a spreadsheet.
My immediate response to them:
Dear >>> Given that you already hold the data about us, could you not send the form pre-populated and enable us to correct any errors rather than starting from scratch again?
At the time of writing I have not received a reply. Where do I begin…………
1: For every organisation the sender works with somebody is redoing work they have already done – a waste
2: For every 100 keystrokes there will be around 2% error – so repeating the data entry will introduce new errors to the data – a waste
3: Somebody at the receiving end will have to check each form submitted against the data already held (we don’t know if it is only held once in a single spreadsheet – or many times in many spreadsheets………..) – a waste
4: Any differences in the data received and held will need to be corrected in the spreadsheets – remember – for every 100 keystrokes there will be a 2% error rate – a waste
5: There will be many (effectively uncontrolled) copies of the data somewhat defeating the object of GDPR:
5.1: one copy (at least) held by every submitting organisation
5.2: one copy of every submission held by the receiving organisation
5.3: at least one copy of every spreadsheet it is held in by the receiver
5.4: so, now the organisation has multiple versions of the truth in multiple documents in multiple formats.
Unless it is VERY VERY highly disciplined (never seen one that is) we can be pretty sure the old versions will have been distributed at some point to multiple users across the organisation in different functions and that process will now be replicated over the coming months.
5.5: Meanwhile I would bet my lunch that the old versions (regardless of where they are held) will neither be deleted nor archived.
A lot of work will have been done by a lot of people in a lot of organisations all of it invisible, none of it adding any value, in the name of compliance with legislation that the process chosen is guaranteed to breach. Meanwhile, notwithstanding the process gone through there WILL be a local data breach by somebody in the organisation – at least one email will be sent to at least one incorrect email address by at least one person!
All of the ‘few minutes’ taken will have been futile, everybody will have been made busier, nothing will have been achieved. It is NOT that they should not keep their data up to date but rather that they should do so with a process which is both efficient AND effective. This is neither.
Hidden Waste? QED?