I Can't Tell You That Cos Of GDPR - On Data Privacy

I Can’t Tell You That Cos Of GDPR

I can't tell you that

This week started with one of the more banal conversations I’ve had this month.  As an accountant tried to tell me GDPR stops him from telling me anything.

I’m always wary when someone calls me on the phone and starts to fire questions at me, wanting to know basic business details.  You might be the same?

This morning I was called by someone claiming to be from a firm of accountants.  We have a mutual client, he told me, and he had some questions about our invoicing to this client.

He never gave his name, not did he identify the name of the firm of accountants he claimed to represent.

For me, this meant “hackles up”.  Full defensive mode.

“GDPR Compliance Means I Can’t Tell You That…!”

I asked the name of the client he was talking about.

“I can’t tell you that!  GDPR you know!”

Now, I don’t know how your accounting system works, but on the system I use it’s really hard to review a series of customer invoices and speak knowledgeably about them if you don’t know who the customer is.

Perhaps if I had the invoice number or client account number?  So I asked for one or other of those.  After all, they’re on every invoice.  The response?

“GDPR compliance means I can’t tell you that!”

Well in that case my friend, this is going to be one of the shorter calls you’ll make today.  Because I can’t answer your questions if I don’t know who we’re talking about.

We Stumbled On

I understand all about client confidentiality.  There are things which can’t be said and can’t be shared.  However if business is going to carry on whilst respecting GDPR and the rights and freedoms of individuals, this incident indicates a problem to me.

I can’t see how personal data privacy and protection is at all enhanced when it is misused in this way.  The invoice in question was raised by a limited company and sent to a limited company (ie, not to a “natural person”).  As is the case with all of our invoices.

So when I asked him which article of the GDPR led him to believe he shouldn’t give me any clues about which “mutual client” we were supposed to be taking about, he just said nothing.

Of course, all this time I was thinking I could be speaking to a potential fraudster.  It turns out it was a legitimate enquiry.  However I was only able to solve it when he let slip the value of the invoice.  It was for an unusual amount, I knew exactly what it was for and was able to identify the client that way.  Simple question answered.

Be Wary Of The Business Prevention Department

GDPR is there to improve the processing of personal data by adding transparency and accountability.

It is not there to be used by business prevention departments (you know who these people are…) to obfuscate and raise unnecessary barriers to the normal course of business.  GDPR is there to help us to govern the processing of personal data, not to prevent it.

I am sitting here contemplating my coffee.  Wondering what goes on in a mind which wants to deal with a client issue without being prepared to share any information about it with the people who can help?

Presumably all this makes sense to them?