Generating Deranged Procedural Reinventions 

It's a funny old world.  Last week, whilst attending an FCA Network Forum, I sampled the views of various colleagues from other Networks on the subject of GDPR.  Most of them seemed relatively relaxed about the whole thing, although all of them had put into place procedures which (they felt) would allow them to comply with the new regulations.  All of them thought it all a bit over-baked, like a great deal of European bureaucracy - and with that view, I would struggle to demur.  By contrast, the FCA had even less to say - and given the diameter of the conduit which continually spews forth new publications, that's slightly disconcerting.

But it appears that the kind of pragmatic attitude evidenced by the larger regulated Networks is far from being replicated by the product-providers that we deal with.  This morning, I received a 'secure message' from one provider, which should remain nameless.  It's worth noting that I should never have been the recipient of this message in the first place, but we'll draw a veil over that.  I redirected it to our team-member who takes responsibility for such matters, thinking that - given its secure/encrypted status - this message must surely contain some kind of critical information.  As it transpires, it did not - the content of the document was entirely generic, with no specific data of any kind within it.  But, even that is secondary to my main point - which is, that in order to access this generic, nonspecific document, we had to jump through a whole series of security hoops that left us dreaming of a simpler, pastoral existence, caring for sheep on a rain-drenched hillside in West Wales.

Having received this generic, nonspecific document, we were then required to acknowledge the fact - and that action also involved the same insane jumping through a set of security procedures.  In the end, I counted around a dozen repetitive actions, simply in order to 'receive' this PDF which told us nothing relevant or helpful at all.  And, because this anonymous provider was using the wrong email address, every single step had to be mediated through myself.  In the aftermath to this pointless exercise, I have dialled up the coffee strength on our espresso machine by several notches, and am now twitching spasmodically - but perhaps you can understand why that kind of medication becomes necessary.  I have also polled our staff on the subject, and have discovered that this experience is not the result of one lone provider succumbing to a kind of GDPR-inspired psychosis.  Life in the office is rapidly transforming into a kind of interminable sequence of text alerts, giving us  'one-off' security codes in order for us to access emails that convey no sensitive data whatsoever.

It is difficult to imagine the mindset of the kind of bureaucrats that came up with GDPR.  I'd like to think that perhaps at least some of them, at some point in their lives, were rational human beings who saw a particular need and tried to come up with a solution.  In practice, I'm beginning to imagine them as a bunch of misanthropes with a deep and settled grudge against the world of commerce, perhaps plotting a nightmare scenario where we will all just grind to a halt, frozen within a vortex of security alerts, the hapless victims of a regulated culture which is designed to prevent you from doing anything useful at all.  I think that, at some point, we need to rather forcefully supply feedback to our product-providers on this issue - just in case they are labouring under the delusion that we might be prepared to continue dealing with them under such circumstances.

Meanwhile, I'm beginning to view our fax machine with renewed enthusiasm.  There's no spam. It's relatively secure.  It's a point to point communication.  When the document is sent, you have a report verifying that the recipient has received it.  And no self-respecting criminal would ever want to admit to having tried to hack into a fax machine.  That's just so twentieth century.

Kevin Moss, 04/05/2018