To report this client to the authorities?

[DilianaDilemma]

I'm a contract manager for a large corporate client. My direct client contact, let's call him X, is a middle manager in his organisation. My employer runs some a few outsourcing contracts for X's department.

Due to the recent changes in data protection legislation due to the GDPR, I subjected all of my contracts to a comprehensive compliance review and have had to make a number of changes to the way we work. Where I found issues, I pro-actively contacted my clients and tried to work out solutions with them that would protect them as well as myself, my employer and the people who work for me. Everyone's been very positive about this, in spite of the whole thing being a bit of a pain in the backside. Everyone except X, this is.

X is actively refusing to implement any changes in his department's way of working to ensure continued compliance. During the course of my review, I also discovered that X was using several IT systems, some of which I'm responsible for, in ways the legality of which is highly dubious. X is furthermore demanding that I and my teams help him do this.

When I refused to assist X with what is clearly not a legal use of personal data, X threatened to have all my employer's contracts withdrawn and to put word out to my higher-ups that I was personally responsible for this. I have this is writing. Yes, he actually emailed me this.

I obviously forwarded this to my direct manager as well as her boss. They both suggest that I report this to the client's internal compliance office but also say that, seeing as I'm the contract manager in charge, it's really up to me to decide how to handle.

I'm in half a mind to report X to the authorities or at least his CEO instead of internal compliance. I don't take kindly to being threatened.

WWYD?

[Kingsclerelass]

GDPR is still new and people are still getting used to it. So maybe not report him yet.
Does your customer have a Privacy policy or GDPR statement on their web site?

Can you show him that he’s in breach of his own company’s policy and is asking you to break it as well?
If they are a large company, they must have a nominated data compliance officer by law. Could you have a word with them?

[DilianaDilemma]

Thanks!

I did show him that he was in breach and how. I also made a number of suggestions as to how we could work together to fix these issues. And, no, it wouldn't have cost him any more than he's currently paying. I'm as interested in not being sued as I presume my clients are.

I also asked to meet with him and the compliance officer. He declined this as well as implementing any changes to how we worked together. His reasoning is that he finds it inconvenient and, ironically, that he thought it was intrusive to have to log whose data he accesses.

And, yes, the client org obviously has a policy in place. I run a number of contracts for other departments at the same client and they've all been very good about it and keen to work together to resolve issues.

It's the being threatened part that really makes me angry. Needless to say, I have nothing to fear from refusing to help someone break the law. But the fact that he even thought he might try to blackmail me into helping him has me worried.

[jayho]

Report to information commissioner's office

[WineGummyBear]

Your two managers have made the same suggestion. I'd follow it.

And document EVERYTHING.

Good luck.

[Sleepless123456789]

Report him

[Vixnixtrix1981]

I'm fairly sure that you now have to report any breaches within 72 hours, where feasible. So waiting is not something you can do!

[SadTrombone]

I'd seriously consider reporting to the ICO (but would probably discuss with your manager first)

[bellinisurge]

If they are actively refusing to update their systems and people's personal information is at risk, report them to ICO. Can't guarantee it will make much difference but I'm pretty sure the "it's new law" argument only flies if you are trying to get it right.
Is your company responsible for this information as well - or does the processing happen because if a contract with you and even if you never see the personal data. If so, your company is at risk.

[Jamiefraserskilt]

He must have a boss so send a report of your concerns with the email he sent as an example of his non cooperation. The board of directors are ultimately responsible and absolutely do not do anything that jeopardises data privacy.
He is being a knob. Fine if he wants his company to be fined up to 4% of global turnover and be publicly humiliated.

[DilianaDilemma]

Yes, my company is a data processor. and hence is at risk. I'm working with my own legal team to address the situation and, in the meantime, have instructed my teams to stop carrying out any tasks to do with personal data pertaining to X's department. Legal assures me that we can't be sued for breach of contract when following client requests is actually against the law.

Legal advise me to report, but they also say it's new and everyone is still massively confused about it - including them. My direct managers advise me to take the internal route instead to safeguard the relationship with the client. It's my call to make and there doesn't seem to be any precedent so far, so I'm admittedly somewhat conflicted.

[bellinisurge]

Dat processor and data controller can be jointly liable. Your company can be sued even if the regulator doesn't take action. If they actively refuse to engage with the new law, they can be in more trouble than your company but as pp has said, document EVERYTHING. A company going bump is now no excuse, btw.

[BigPinkBall]

I’d report him but then I’m of the mind that anyone who tries to use bullying tactics ought to be shown in no uncertain terms that they won’t get away with it.

[bellinisurge]

A dodgy client is a dodgy client. I'm not much for getting hysterical about GDPR but that's only if you have robust systems in place which should have been there in the first place. GDPR means that data processors can find themselves in the shit as well.

[Bombardier25966]

I wouldn't go to the ICO at this point, they're massively under resourced and it could take months to even look at your report.

Go to the client's compliance officer. If you go straight to the CEO it will no doubt get passed back to them anyway, the CEO will not have the expertise or time to deal with it themselves. It also gives you a further escalation if the compliance officer does not act.

[Violetroselily]

Surely you have internal procedures for dealing with identified regulatory or legal non-compliance?

Consult those, not MN

[MipMipMip]

I'd report him to the internal compliance and give them a heads up that you have no choice to report to the ICO (not sure of timescale). That way they can get it fixed and when they ICO come knocking can fairly say they have sacked him noted the problem and got it in hand.

[Snowysky20009]

Is he really worth having as a client?