Why even small organisations must change mindsets for GDPR – Peak Demand

For many small organisations, GDPR is seen as an annoying, time-consuming piece of EU box-ticking bureaucracy. Clearly intended for big companies with lots of personal data who have the time, expertise and budget to implement it, but the burden has fallen on small businesses – forced to invest time and money updating the stupid website privacy policy that nobody ever reads.

If this rings true for your small business, then I encourage you to take 5 minutes to read the simple scenario of a building firm below. Score your own answers to the questions posed from both the builder’s and the customer’s perspective.

The Small Business Owner

You are a builder. You agree to do some building work for a new customer. The customer agrees to lend you a key to the house for you to come and go – as during the day there is normally no-one at home.

What do you think about the following scenarios?

Give yourself a score for each question on a scale of 1 – 5 with (1) Absolutely Fine, (5) That’s bang out of order.


1. You can’t go to the house tomorrow, but you ask the customer if it is OK to give the key to a co-worker who will come instead.

2. You are going to another job but you’ve arranged for an electrician (who the customer hasn’t met) to go to the house and you’ve given the key to the electrician. You’ve sent the customer a text to let them know.

3. You are really busy on other jobs, so you’ve arranged for a sub-contract plasterer, electrician, plumber and roofer to work on the house over the next few weeks. You give the house key to the sub-contractor whenever necessary to keep the project on schedule.

4. You are really busy on other jobs, so you’ve arranged for a sub-contract plasterer, electrician, plumber and roofer to work on the house over the next few weeks. To make it easier for everyone, you go to Timpson and get some copies made of the key and give one to each sub-contractor.

5. You are really busy on other jobs, so you’ve let your apprentice do most of the work. You gave him the key but he can’t stand the hard work and decides to jack in the job. You can’t get hold of him to get the key back.

6. You went straight to the pub on Friday after work in your van. You’ve had a few drinks so get a lift home and return the next day to collect your van, only to find it has been stolen. You’d left the house key in the van.

7. You’ve asked a friend to update your website. They suggest adding some ‘before/after’ building work photos, so you give your friend the house key to pop-in and take some photos.

8. You’ve finished the job, got paid and now moved on to the next project. You still have the old customer’s house key in your van but they never actually asked about having it back and your way too busy to drop it off.




The Customer

You decide to have some building work carried out in your home. You agree to lend a house key to the builder so he can come and go as during the day there is normally no-one at home.

How do you react in these situations?

Give yourself a score for each question on a scale of 1 – 5 with (1) Absolutely Fine, (5) I’m Very Angry!


1. The builder says he isn’t coming tomorrow but asks if it is OK to give the key to his co-worker who will come instead.

2. The builder texts you to say he isn’t coming tomorrow but he has given the key to a sub-contract electrician (that you’ve not met) who is needed to keep the project on schedule.

3. You discover that during the previous few weeks the builder had given your house key to various sub-contractors (electrician, plumber, plasterer and a roofer), so that they could come to the house, when the builder was working on other projects.

4. You find out after the event that the builder had been to Timpson and had copies made of your house key so that various sub-contractors (electrician, plumber, plasterer and a roofer), could come and go as needed.

5. The builder says he no longer has the key as he gave it to his apprentice who no longer works for him.

6. The builder tells you his van was stolen and he’d left your key in the van

7. You find out after the event, that the builder had given your key to a friend to come in and take photos of the building work to use on the builder’s website.

8. At the end of the project, you forgot to ask for the builder to return the key, but you become aware some years later that the builder had just kept hold of it in his van when he could easily have dropped it in to you.




Differing Perspectives on the Same Scenarios

Hopefully, you recognised the scenarios listed were exactly the same, but considered from the differing perspectives of the builder and the customer.

From the builder’s perspective you may well have considered all the scenarios to be on the lower end of the scale towards “Absolutely Fine”. In the first 4 scenarios the actions of the builder were all in the interests of the customer and getting the job done promptly – so surely the customer would be happy? Scenarios 5 and 6 are perhaps unfortunate but was it the builder’s fault? Scenario 7 seems a bit dodgy but did you score it a middle-ranking “no harm done” rating? And finally in scenario 8 did you score it in the middle with a “customer should have asked for it” rating?

From the customer’s perspective you may well have scored more of the scenarios towards the higher end towards the “I’m very angry!” scale. Of course, no problem with scenario 1 – the builder has asked for the customer’s permission. But in scenarios 2 – 4 did you think the builder had broken the the trust the customer had in him when lending him the key? In scenarios 5 and 6 did you consider that the builder should have taken more care with the key? In scenario 7, we have the builder giving the customer’s key to a third-party for a purpose unrelated to the building work. Finally in scenario 8, you may argue that the customer should have asked for the key back, but was there a reasonable expectation that the builder would return it?

What has this to do with GDPR?

The house key is a metaphor for the customer’s personal information. The scenarios give the perspectives of the builder and the customer regarding how the customer’s personal information is being shared, kept safe (or not) and retained.

With GDPR an organisation should have the mindset that any personal information they receive is being lent to them for an agreed purpose. At no point did the builder ever think he owned the key and that is the mindset organisations should have with any personal data they hold.

  • Sharing Personal Data with Others

In our example, the builder was focused on getting the job done but it was at the expense of the key being distributed widely amongst sub-contractors. GDPR doesn’t define whether the builder was right or wrong – but in debatable cases it always tips the balance towards the data subject (in our case – the customer). It is the organisation’s privacy policy that should define when, how and who personal data will be shared with, and on what basis it will be shared, e.g. scenario 1 was “consent” whereas in scenarios 2, 3 and 4 the builder could only be relied upon for “legitimate interest” or “fulfilment of a contract”. In these cases, the builder must give greater consideration of whether they are sharing in ways the data subject would reasonably expect and which have a minimal privacy impact

  • Securing Personal Data

The builder was careless with the key and should have taken further steps to keep it safe. Under GDPR, an organisation that keeps personal data has a responsibility for keeping it safe.

Even when the customer gave permission for the builder to give the key to others, the builder still has a responsibility to ensure the sub-contractors took steps to keep the key safe. Organisations who share personal data must ensure that those who they share it with have adequate controls. This is often referred to as a Data Processing Agreement (DPA).

  • Keeping Personal Data

The builder had no justification for keeping hold of the key when the job was finished. Even though the customer had forgotten to ask for it back, the builder had no reason to retain it. Organisations cannot retain personal data for longer than is justifiable to keep it. The organisation’s privacy policy should define how long personal data is retained.

Next Steps

Why not share your scores and thoughts with others by posting a comment below?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Contact Us

We tailor the services we offer to your specific needs and budget

Contact us