ONCE UPON A TIME...
A local branch manager of a bank calls the DPO in a bit of a panic. He received a letter from a customer in which the customer threatens to divulge information that was openly available on the desk of the branch manager so the bank would be labeled as not protection the data of its customers as it should. His ransom: granting him his loan request to buy a tractor.
OK, this is strange. Let us back the story up a bit.
WHO?
The main character is a 67 year old farmer. Farmers are hard workers. Some cannot stop working at the "normal" retirement age: some do not want to stop, others have not built up a retirement fund so they economically have to continue working to maintain an income. In any case, this farmer was not ready to stop and applied for a loan to buy a new tractor... five times. The bank every time had declined those applications, mainly because - amongst others due to his age - the farmer was not considered creditworthy. The farmer actually had escalated his application to the centralised credit department of the bank, but that service had rerouted the request to the local branch office, because that was the procedure for loan application up to a certain amount. So the farmer was... frustrated. He had made a new appointment with the branch manager.
The branch manager was the boss of a local bank branch with only a handful of staff members. So he is no "manager-manager", but actually did quite a lot of day-to-day work in the office. That included handling most of the loan applications above a certain amount, like house loans and bigger commercial loans.
THE MEETING
The farmer had been, for a big part of his life, a good customer of the bank. So the branch manager accepted to meet the farmer once again. He squeezed him in after another meeting before closing the branch.
The farmer came to the meeting prepared. He had the reply of the central credit department and a new calculation of how he planned to pay back the tractor. He also came early. So after letting out the couple that came for its house loan, the branch manager did not get the time to prepare for the new meeting. He immediately let the farmer in. The discussion could begin.
After a while the branch manager agreed to look at this new proposal, without making promises however as the prior applications were really looked at in depth and - after this talk - he did not expect anything significantly different. But ok, he would make a copy of the farmer's proposal and look at it the day after.
The branch manager left the office to make the copy, in a few moments returned and handed the copy to the farmer. Here the story is a bit blurred. Either the house loan application information of the couple was on the branch manager's desk and the farmer took it; or that information was on the copier and the branch manager accidently assembled it with the farmer's copy and handed the information to him.
In any case the farmer now had more or less a complete financial overview of the couple, residents of the same (small) town. And he decided to (ab)use that position by putting pressure on the branch manager. In a small town like their's the rumour would go really fast and might harm the business of the bank for quite some time.
THE REACTION
The branch manager chose not to try to solve this on his own, but used a help line. He called the data protection officer to help look for a solution. And they, together with a member of the litigation team of the bank, decided to write the farmer a letter describing the situation, stating that his action was inappropriate, disrespectful and contrary to the law, and giving him a chance to rectifiy his action by bringing back the information and signing off on a declaration that he had not taken copies.
THE OUTCOME
The farmer did immediately bring back the information and did sign off the document. He did not however get his loan. The creditworthiness had not changed.
COMMENT
I like this story because it shows a number of things:- loosing data is more common than you would think:
- it does not per se require a "bad" bad guy, the farmer was a very ordinary person
- it does not require big mistakes from the staff, having some papers on your desk or on the copier after a meeting and being in a hurry, who is not guilty of that sometimes?
- it does not require high tech hacking, it can be as simple as information on paper in an office
- seek help immediately
- Covering up or handling it on yourself is a natural reflex, BUT...
- following that reflex can and often does lead to more problem; in this case going along with the "blackmail" would have led to a breach of the credit adjudication policy of the bank, so that would have been discovered; providing the loan himself was impossible for the branch manager; calling the farmer's bluff may have blown up in the face of the branch manager; etc. Quite a lot of movies build on that combination of covering up and how it turns bad.
- overcoming that reflex opens up (more) possibilities to finding a solution (faster)
- When looking for help immediately the team looking at the problem has more options to tackle the issue and only has to tackle a limited, not-cumulated number of issues. Options generally diminish and issues generally cumulate as time passes.
- Lawyers, risk managers, compliance officers, (senior and middle) managers, etc. are often seen as people playing the blame game. And unfortunately that is quite often true. BUT...
- good ones do not play the blame game but look for solutions. It is one of the principles a data protection officer should live up to.
THE POWER OF STORIES
(repetition of the intro of the series:) Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-)CALL TO ACTION
Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)
Do you know movies where covering up turns bad?
No comments:
Post a Comment