GDPR – Go the extra mile

by Carl Roberts, Chief Information Security Officer at SMT.

People have the right to know what data you are collecting about them, why and what they can do about it. These rights are enforced by the EU general protection regulation (GDPR) from May 25th 2018.


As an organisation you should have established an inventory of all personal data you have collected on the individuals, indexed by the processing you apply to it. You will have already established the purpose and legality of that processing, now you have to inform the affected people.

You have a fundamental choice to make at this stage – do we do the bare minimum to satisfy the regulation or do we go beyond this ?


The basics

The bare minimum approach is to create a web page that defines the types of data used, the purpose, how it is used and where it goes. You will also need to tell the affected people how to assert their rights and who to contact for this. A basic set of questions you would need to address includes:

  • Do you share the data with any other entities and why?
  • Do you send the data out of the country, where and why?
  • Who do you use to process the data, for example what cloud services might you employ?
  • How do people contact you?


There are some generators on the web that can help create a structure to deal with this and some can be beneficial to get you started. But do you really want to create a web page that looks like some typical end user agreement that we all ignore?


Go the extra mile

Creating pages of legal text that no human will ever read, not only goes against the intent of the European directives, it is also bad marketing. What if you could achieve the legal objectives but also increased the level of trust in your brand while informing the public of your services? Why waste a part of your website hiding away your obligations when you could engage with your customers?

A good example of this can be found on the TomTom website. What I like about this page is that all the required information is covered but then they break it down per application in a way that shows transparency but also informs me of all their services that I may not have known I could purchase. Look at what you are doing already, and if anything, ask yourselves:

  • Does it achieve the basics?
  • Would I read this?
  • Would it impress me?


So, don’t hide away your privacy policy, go beyond the minimum and serenade your customers with your trustworthiness and services.

To be continued…


March 2018