I received a telephone call this evening from a company that purported to be Lorien (on 0333 023 0006 if you are interested), a recruitment consultancy. Ordinarily, this wouldn’t be a problem, although at quarter to eight in the evening, is perhaps not the most appropriate time.
There are several problems with this call: whilst it is common knowledge that agencies will trawl job sites for appropriate CVs, I have never had a business relationship with Lorien, and therefore have never given them explicit permission that they can call me.
More than this, the call was automated, with a female voice informing me that they had my details on file and to comply with GDPR, I either needed to hang up to allow them to keep my CV or press “1” to have my details removed from their database. Now, since I’ve never really had any direct communication with Lorien, it follows on from this that I have definitely never given them permission to call me using an automated system.
GDPR itself is also about explicit OPT-IN. In response, Lorien (purportedly) suggested I do nothing to keep my details on file – in other words, an implicit opt-in; and to press “1” to have them removed – an explicit opt-out.
When I did press “1”, I was then told I was being sent a text message with a link to where I could opt-out. Surely if I have pressed the option to remove my details, then they should do that immediately, rather than have me click the link?
The final joke in this litany of failure is that the link provided was to https://secure.telereso.com. Certainly, the text message said it was from Lorien, but how can I be sure? I’m certainly not clicking on the link to find out.
I have done a bit of digging, just to make sure. Telereso was set up in June 2017 to allow bulk calling, apparently to advertise jobs:
Clicking on the link, to telereso.com, I was warned that the SSL certificate was not exactly reliable. A further scan of the site reveals that the certificate had expired in 2016 and didn’t relate to telereso.com at all. Scanning secure.telereso.com did at least provide a modicum of comfort, in that it uses a Let’s Encrypt certificate which expires in April (since they renew every 90 days).
However, it doesn’t inspire confidence in Lorien or Telereso about their adherence to GDPR and the security of your data, given that they are asking for an implicit opt-in, use a third party for service calls, and that that third party has one expired SSL certificate, and uses another free certificate issuing authority to protect their main secure site (I have no qualms about Let’s Encrypt, but what I do question is the level of security they employ elsewhere if they are unwilling to pay for a corporate standard SSL certificate).
And I have still absolutely no proof that the message was sent on behalf of Lorien, because it was entirely automated. So, if you’re reading this Lorien, please remove my details from your system, because I’m not sure I can trust you or Telereso with it.
Update 1st February 2018
I have just had a very pleasant chat with David Gettins, the new CEO of Lorien, to discuss the call, which was a trial to a limited set of people to gauge its effectiveness. It’s encouraging to see that he is keen on learning lessons and improving processes and communication with clients and contractors.
The upshot of this is, that whilst I still think that the call was incredibly misguided and self-defeating, Lorien are listening and learning, and a simple personal call was all it took to reassure me that they are taking things seriously. From washing my hands of Lorien, I am now willing to consider them as an agency. #
All in all, a good start to David Gettins’ new role as CEO, although perhaps internal processes need to be improved to ensure such a catalogue of failures never sees the light of day again.