Discretion is the Better Part of Valour
Preventing sensitive information from getting into the wrong hands should inform much of what we do in business.
We can help you navigate the legal terrain around privacy and protection issues: what you can and must do to keep your own and your clients' data safe.
Privacy by design (Pt 1)
Privacy by design sounds complicated. It is not.
The first question should always be: do I actually need this data?
If the answer is no, do not collect it.
That principle alone would solve most compliance issues. Instead, businesses hoard data “just in case”, like old passports, dates of birth from employees who left years ago, and outdated addresses.
All of it sitting on file, unused – and all of it a liability.
When you do need information, decide how long you need it for. Record your reasoning. Delete it when it is no longer relevant.
Privacy by design is less about paperwork and more about discipline.
Collect only what you need, keep it only as long as necessary, and let the rest go.
Privacy by design (Pt 2)
Outlook email chains are where privacy goes to die.
You’ve seen it happen before.
A client sends a passport copy, and a few replies later, Outlook has turned it into one long thread.
That passport is now trapped inside the chain.
And here’s the problem: you can’t just delete the sensitive bit. It’s all or nothing.
That is not privacy by design.
If you want to remove data, your systems should let you isolate it. Not force you to keep things you shouldn’t – or delete the whole conversation.
When the ICO (or a regulator, or even an ex-employee) asks questions, “Outlook wouldn’t let me delete it” won’t hold up in court.
Privacy by design means thinking about this stuff up front, making sure your processes don’t trap you in impossible choices later.
As with anything, preparing for this early on helps to avoid any potential mishandling (and costly consequences).
If you’re using Outlook to receive sensitive information, perhaps now’s the time to stop! There is a better way….
GDPR
Businesses love to ignore GDPR.
It feels like a problem for later.
But if you’re collecting data, sending newsletters, using analytics, running ads…
You’re in it, whether you like it or not. Ignoring it now will come back to bite you in the future.
Ask yourself:
→ Are you clear about what you collect and why?
→ Do you know where it’s stored - and who can access it?
→ How long do you keep it, and how long should you keep it (and please, can these two match)?
Because yes, regulators might not come knocking this week.
But an irate user might. Or a partner doing due diligence. Or a big client who needs you to be compliant to sign.
So when it comes to GDPR:
Don’t delay.
Ironing it out early means you can focus on the business.
But kicking it down the road might mean your business collapses.
Holding personal data
One of the most common problems I see:
People holding on to data they no longer need.
It might be because it’s left in forgotten Outlook threads, or maybe you kept it because you thought you might use it later.
However, if someone sends a DSAR (data subject access request), you might have to provide everything you hold on them.
Yes, EVERYTHING. Okay, I am exaggerating, but only very slightly.
You will have to go through everything. That includes:
→ Emails
→ Attachments
→ Comments in chats (even the snarky ones. Especially those.)
If you’ve stored something like a passport, a home address, or a date of birth for too long, unnecessarily, you will have to justify it.
The truth is, most founders see these things as unimportant… until they’re a grave risk to their entire organisation.
This is how breaches happen – not through malice, but through inertia.
And imagine if you got hacked and had all this data you shouldn't have kept?
So if you don’t *need it, delete it, and if you do need it, contain it, securely.
*Disclaimer: talk to a Data Protection lawyer about what to keep, and for how long.
Where's my data, dude?
I’m actually a fan of ad tech.
I’ve discovered great theatre shows, niche retailers, all kinds of useful things – thanks to those ad-serving systems people love to hate.
But let’s not pretend it’s simple.
Your data might be on several systems, in several incarnations, along with identifiable data.
Even people inside the industry don’t always understand how the systems work.
Data is ingested by one platform, passed into another, layered, enriched, and forwarded (some of it anonymised, some of it not).
So if your paperwork says it’s all anonymous or all under control, but your tech stack can’t guarantee that – it’s a problem.
And not just a commercial one, a legal one.
You might think you’re GDPR compliant, but unless you understand where your data goes (to stay...) – and how – you probably aren’t.
Keeping the data in order
I’ve offered data protection reviews to businesses for years.
Almost nobody takes it up.
Why? Because they think, “No one will care.”
That might be true, until someone does care, and it’s usually an angry former employee.
They ask for everything you hold on them, and when you realise you’ve held more than you should – you panic.
The ICO doesn’t want good intentions. They want compliance:
→ Show what you collect
→ Show why you keep it
→ Show when you deleted it
If you can’t do that, it’s a breach.
Why scramble around to fix things after the fact? Honestly, it is not that hard to get this right.