The shiny new GDPR privacy policy

First thing you need to know is this is a work in progress. It sets out the principles Marshway Projects Ltd (which trades as Stuart Bruce Associates) try and abide by. Hopefully, they are all expressed here. But it’s possible we’ve forgotten some that we’ll add later. They are in as plain English as is possible. I’ve ditched my old ‘legalese’ privacy policy which won’t please the lawyers, but I want something that people can actually understand and where the sentiment is clear.

So what do you need to know?

We won’t share your data

Most important is probably that we don’t share your contact or personal data with any old Tom, Dick or Harriet. In fact, we don’t share it with anyone outside Marshway Projects. That’s two people. Me and my co-director, who is also my wife. That means your data is pretty safe with us as we’ll never sell or give it to any dodgy people, or even any non-dodgy people or companies. We might occasionally ‘use’ the data on behalf of other people, but we won’t let them get their grubby hands on it. For example, we’ll send you an email saying the Chartered Institute of Public Relations (example, because I’ve actually done this) is running the event and if you’d like to come then please reply to the CIPR directly. It means you get to decide which of your details you share so you can benefit from the opportunity we’ve told you about.

We don’t have regular need for a solicitor so don’t share any data with them. In fact, just about our only regular supplier we share any data with is our accountants Russell Smith Chartered Accountants. Russell and his team are as close to cool as it’s possible for accountants to be, so they’ve dotted all the i’s and crossed all the t’s when it comes to security and privacy.

Occasionally we’ll use an associate, freelance or contractor to help with some of the work we’re doing. It should be obvious that we only use people who we think are good, so there’s really no reason to be concerned. And besides, we only share ‘data’ that we definitely need to share in order to do the job. While they are working for us it’s just like it being shared with a normal employee.

The only time I can really conceive of sharing your data in a way that you wouldn’t like is if the cops or government come calling and demand to see it. I’m going to comply. Wouldn’t you?

Tools we use

Well this is a tricky one. Trying to think of and remember the various tools we use in everyday life. Most of Stuart Bruce Associates runs on Microsoft Office 365, which as far as I know has Roll-Royce levels of security and GDPR compliance. For finance and accounts, we use FreeAgent, which used to be a fantastic independent Scottish software company, but is now still fantastic, just owned by a big bank.

These are the tools we use (and therefore where your data might reside):

  • Microsoft Office 365 Business – Outlook, OneDrive, OneNote, Power Automate, Excel, PowerPoint, Word, Teams, To-Do, Planner, Sway.
  • FreeAgent – for accounts.
  • Zapier – to help automate and sync stuff.
  • IFTTT – to help automate and sync stuff.
  • Hubspot – a CRM (contact relationship management) system.
  • PieSync – to sync contact data between the various services and platforms we use.
  • Android – contact data is synced to Outlook on mobiles, which means Android then syncs it to the native contact app to make it all work properly.
  • Truecaller – an Android app that tells you who is calling, even if they aren’t one of your contacts. No idea how GDPR compliant it is, but it’s their data, not mine, and it’s essential as helps me to avoid all those “you’ve been in an accident” and “time to upgrade your mobile” calls.
  • WordPress – the company website and Stuart Bruce’s personal blog both run on self-hosted WordPress. The host is SiteGround, which is based in the EU and is one of the most respected WordPress hosts there is.
  • Cloudflare – we squirt our websites through Cloudflare to make the faster, safer and more secure.
  • There are obviously cookies (not the kind you eat) to track stuff like Google Analytics and in some of the third-party plug-ins. I use the JetPack plug-in to provide a cookie opt-in bar, even though it’s fairly pointless as probably less than 1% of visitors care, but it’s the law so sorry for annoying you with it.
  • MalCare – protects all our websites.
  • WordFence – also protects our websites, as you can never be too careful.

Stuart Bruce’s personal email list

Stuart Bruce also has a personal mailing list, which he very rarely uses, but was ‘cleaned’ a week before GDPR legislation kicked-in.

It is Stuart’s PERSONAL email list that he uses for NEWSletters. The clue’s in the name. NEWS, not marketing bull****. It’s mainly news and views about the future of modernised public relations, corporate affairs, reputation management, public affairs and corporate communications. It’s never heavy sales or marketing stuff, so you won’t be getting any ‘Buy One Get One Free’ offers.

As Stuart co-owns Stuart Bruce Associates (Marshway Projects Ltd) then he uses his personal email list to share personal news and business news.

Social media

It’s the 21st-century folks so social media is essential to running a successful consultancy business (well actually pretty damned important for any business) so we’re using Twitter, Facebook, LinkedIn, Instagram, Snapchat, Pinterest, TikTok… in fact our founder Stuart Bruce has an account on just about every platform going.

He doesn’t use them all, all of the time, but needs to keep his hand in so we can help clients by knowing all about them. That means if a shiny new thing launches chances are he’ll be an early adopter… and if most recent launches are anything to go by… an early dormant account as he’ll keep it open (to protect his user ID which is nearly always stuartbruce or stuartbrucepr), but won’t use it much. If you’re on any of these platforms he might try to connect and interact with you, because that’s the nice and professional thing to do. He won’t be offended if you don’t reciprocate (OK maybe a tiny bit offended).


We try to be as secure as possible. Every cloud service we use has a different secure password, controlled by a world-class password management system. And on most services we’ve activated two-factor authentication – this means having the password isn’t enough as you’ve also got to enter a second separate code that you get by text message or Microsoft Authenticator.

Laptops, tablets and mobiles are all password protected.

Websites are protected by MalCare and WordFence.

Data we collect

Obviously we only collect personal data that’s essential to running the business and living life. And there’s the problem. The business is public RELATIONS. How the **** can you have good relations with someone or something if you deliberately forget stuff you know about them. It makes you a rude, ****hole.

So rather than trying to answer the impossible question of what data, it’s probably better to understand why. It’s to help us to be better people and be better public relations professionals. We believe it’s negligent and incompetent not to use all of the knowledge you possess to do the very best you can.

On a practical level it means if you’ve been on a training course run by Stuart Bruce and he discovers you’re interested in something then he’ll try to make a note of it so if he spots anything about that topic he can send it to you, just to be helpful. He’s got a memory like a sieve, so won’t stand a chance of remembering it if he doesn’t make a note. The same applies if you’re a consultancy client and you mention over coffee that you’re interested in something, he’ll try to make a note in case he can help in future.

Knowing stuff like this also helps us with relationships. If somebody says “does anyone know someone who knows about/can help with……” we like to help and say “Yes, I know….. “, but we can’t do that unless we’ve made some notes and kept your data.

We also keep it because we’re quite hoping you might hire us in future to help you modernise or improve your corporate affairs, public relations, public affairs and corporate communications. It’s kind of why we run a business. So Stuart Bruce can feed, clothe and keep a roof over the head of himself and his family… and enjoy the occasional holiday. We’re hoping you don’t begrudge us that.

So we’re not going to give a definitive list of ‘what data’ as that will constantly change, but it includes all the obvious stuff – name, contact details, bank stuff if you’ve got to pay us or we’ve got to pay you, what services we’ve provided for you (even if it’s via a third party because we’d be unprofessional and incompetent fools if we couldn’t remember what we’d done for you).

There’s also this bit about ‘sensitive data’ which bizarrely includes politics and trade unions. Well frankly we’re baffled as to why they should be sensitive. Both directors are quite happy for everyone to know they are members of the Labour Party. This is relevant because in many circumstances it shouldn’t be sensitive at all and is an important part of personal and business relationships and therefore might need to be recorded. Because it means we’ve got something in common, something to chat about over coffee, beer or wine. It’s what nice people do, They listen and take an interest in others. If that’s a problem for you, then I’ll happily delete it. But the problem with that is for lots of people I don’t know or can’t remember. If you ask me to delete it from my notes then one thing you can be certain of is it will suddenly be at the top of my mind so I will know and remember. Without a Men in Black style ray gun to erase my memory, there’s nothing either of us can do about that.

Transferring data

Another tricky one. We will never deliberately transfer your data outside of the EU and if outside the EU then all of our cloud providers are (as far as we are aware) GDPR compliant. However, Stuart Bruce travels a lot. And that means all of the contacts on my mobile and laptop travel with him. That’s because he needs to work when overseas. If he didn’t do this he’d have to close the business. Then he’d be penniless and his family would starve (well maybe not starve, but you get the picture). So he’s going to keep doing this. But all the devices are password protected by Windows 10, iOS and Microsoft Launcher on my mobile. That’s as good as it gets folks.

Forgetting you

This is the bit of GDPR that is bonkers! Why the heck would you ever want to forget people? Why would we want them to forget us? It’s insane. It’s rude, uncouth and unprofessional. Who wants to end up all alone as a hermit?

The clue’s in the name. Public relations. How can you possibly have good relations if you deliberately forget people? It makes you a rude, ignorant ****hole. We’re in the business of relationships and passionately believe in how essential historical records are. We don’t generally get rid of anything unless we absolutely have to. It breaks our hearts to see things destroyed. But GDPR says people have got the right to be forgotten. So if you really want to cut off all ties then just please let us know and we’ll obliterate all references to you. What we can’t promise is we won’t ‘rediscover’ you as we must have ‘known’ each other at some point, so it’s possible our paths will cross again and if we’ve obliterated you then we probably won’t remember you asked to be obliterated.

For people who are in Outlook contacts, on email lists, we’re connected to on LinkedIn, Facebook, Twitter, Instagram, Snapchat…. we could go on forever. For those people, we’ll probably occasionally send you an email or private message just to stay in touch. Or there again, we might not. Depends how busy we are.

If you do ask to be forgotten then remember it’s only things we 100% control that we can do that with. So if we’ve got interactions via third party services such as PayPal then it’s not our job to sort that out. We also can’t forget financial stuff as the tax woman says we’ve got to keep those records for six years and we don’t want to end up in prison, just to satisfy your paranoid right to be forgotten.

Lawful grounds for processing

Dead easy this one. So me and my family aren’t homeless and don’t starve. In other words everything I ever do with your data is because I believe it’s absolutely necessary for my business to function and even grow.

Have we missed anything?

Yes, probably we have. We’re doing my best to be a good GDPR compliant business, but the legislation really wasn’t designed for small and micro-businesses, we’re just getting screwed because the big boys and girls like mobile phone networks, social network services and banks couldn’t get their act together and too often shafted their own customers. If you spot something we’ve missed then please let us know (preferably privately and politely) and we’ll see what we can do to fix it.

Last updated on 23 July 2020. The previous update was on 2 September 2018. First published on Thursday 17 May 2018.

Malcare WordPress Security