Nigel's Eyes

20220505 Where compliance and tech diverge.

Post-Pandemic, I've been out and about and finding out what's been going on while people have been working in their own little silos. I expected that most things I would find would be as I had moaned about before: the increasingly restrictive law, regulations and rules that have appeared during the pandemic but no, even that landslide is not the most surprising. This is ....

I'm not going to name the building but I will say that it's occupied by one of the world's most vaunted companies in flexible office spaces.

I'm a fan of flexible offices: I've used them since the 1990s, as an adjunct to working from home.

I know, you are about to yawn and say that I'm going to go on again about how all the stuff you think is new really isn't and how while you are excited, I'm increasingly bored. Well, I'm not. That's not the point of this blog at all. But you can take it if you wish.

No, the point is that this very expensively set up building - which is lovely by the way - has basic flaws that make it very annoying and, in one case at least, raises a very significant GDPR compliance issue.

Let's start with the entrance: it's cathedral-like. And there are gates that are controlled by a card-entry system. True, a moderately athletic person could jump the gates and the glass barrier alongside them with ease but that's not really the point of them. The point is to slow you down as you enter so that you go to the reception desk. We'll come back to the reception desk because it's there that the GDPR concern arises.

Once beyond the gates, some areas are public and some are controlled by access cards. So far, so normal.

When it's time to leave, things get weird.

To walk out of the gates, you don't need a card. You know this because a sign tells you so. So, as you are looking at the sign, you just keep walking. The sensor for the gate is somewhere where, by the time it knows that the gate should be open, someone who has just kept walking crashes into the gates which are only then starting to open. You don't see them because you've lifted your eyes from the sign and you are checking that no one is going to come into the opposite side of the gate or is hanging around waiting to be bumped into.

So, with the smallest part of peripheral downward vision you sense movement and come to the most abrupt stop that inertia allows before the rising edge of the gate performs surgery on your private parts.

You remind yourself not to do that again, knowing that when you aren't paying attention you'll do it anyway.

The main door closes at 6pm. But of course office life doesn't stop and people still need to get out so there is a side door. It has the same gates. And a door. Like a cathedral door. Big. Solid wood. Really nice. Wish I had one as the front door of my flat. It would match all the big, solid, wood doors to all the rooms but bizarrely it wouldn't meet fire regulations for an external door. Off point. Focus, Nigel.

So, you walk out of the gate (remembering not to get maimed) and then find you do need a key. You need a key to get out of the big wooden door. But now you are the wrong side of the gate and if, like me you are a visitor, you don't have a key. So you are trapped.

I am not moderately athletic. How could I possibly jump the gates? So a kind person with a key passed it to me. There were several boxes any of which might have been the reader. I tried them all until I heard the door click behind me and then found that there isn't enough time to open the big, heavy door and get the card back to the kind person. I held the door and thought about throwing the card but that seemed rude. I tried to get to the gate to hand the card back but the door closed and the whole process had to be started again.

The solution is that a kind person has to go out through the gate, put the key on the card reader for the door, I have to open the door, express my thanks then the kind person has to go back through the gate using the card.

It's just silly and it's like so many ridiculous risk and compliance processes I came across in my travels. Designed by people who don't actually use them, in isolation, thinking "this is a good idea" when, in the real world, it really is not.

But it's the registration system that is the major concern and it's the reason why I'm not naming the building or the company concerned: I'm not in the business of making problems for people who don't willingly commit harm.

The registration system requires you to enter your name. Fine. It requires you to say who you are visiting. In principle, that's fine but the execution is not fine.

First, it's not bright: it knows what it knows and nothing else so if you don't start with something it expects, it stops. Naturally, what I entered as the name of the company was its trade name and that wasn't there. And because I hadn't started with the first letter of the company's formal name, it couldn't find it.

That was irritating as I stood trying to guess what it might want but it was the next stage that causes concern.

GDPR is all about the protection of PERSONAL data. Like names, job titles and the like. So when you start typing the name of the person you are to see, it calls up a pick list of all those starting with e.g. A. or B. or as the case may be.

So, for the sake of a few moments at the screen, the whole company directory can be displayed.

Including, as it turns out, full names if that's what people have registered (which is what people tend to do).

I used to despair at the linguistic abominations of the Blair government and one that used to rile me more than most was "joined up thinking." Now I find myself saying that the big problem we are seeing across risk and compliance and in almost anything where tech is deployed is that there is a signal lack of joined up thinking.

Why did no one think that people won't slow down when a sign tells them they don't need to use a key, or that people without keys might want to leave the building after 6, or that displaying personal details on a public screen is good idea?

I used to laugh at those who talk about "holistic" approaches. But they were right. It seems that everyone does their own little task and no one takes a complete overview of the project with the eye of the user.

Maybe I'll write about my troubles with fintech and apps at some point but I think you should by now have the picture.

Hopefully, it's the whole picture and not just my little bit of it.