The shiny new GDPR privacy policy

First thing you need to know is this is a work in progress. It sets out the principles I – and I means both me (Stuart Bruce) and Marshway Projects Ltd (my company which trades as Stuart Bruce Associates) – try and abide by. Hopefully, they are all expressed here. But it’s possible I’ve forgot some that I’ll add later. They are in as plain English as is possible. I’ve ditched my old ‘legalese’ privacy policy which won’t please the lawyers, but I want something that people can actually understand and where the sentiment is clear.

So what do you need to know?

We won’t share your data

Most important is probably that I don’t share your contact or personal data with any old Tom, Dick or Harriet. In fact I don’t share it with anyone outside my company. That’s two people. Me and my co-director, who is also my wife. That means your data is pretty safe with us as we’ll never sell or give it to any dodgy people, or even any non-dodgy people or companies. We might occasionally ‘use’ the data on behalf of other people, but we won’t let them get their grubby hands on it. For example, we’ll send you an email saying the Chartered Institute of Public Relations (example, because I’ve actually done this) is running the event and if you’d like to come then please reply to the CIPR directly. It means you get to decide which of your details you share so you can benefit from the opportunity I’ve told you about.

We don’t have regular need for a solicitor so don’t share any data with them. In fact, just about our only regular supplier we share any data with is our accountants Russell Smith Chartered Accountants. Russell and his team are close to cool and brilliant as it’s possible for accountants to be, so they’ve dotted all the i’s and crossed all the t’s when it comes to security and privacy.

Very occasionally we’ll use a freelance or contractor to help with some of the work we’re doing. It should be obvious that we only use people who we think are good, so there’s really no reason to be concerned. And besides we only share ‘data’ that we definitely need to share in order to do the job. While they are working for us it’s just like it being shared with a normal employee.

The only time I can really conceive of sharing your data in a way that you wouldn’t like is if the cops or government come calling and demand to see it. I’m going to comply. Wouldn’t you?

Tools I use

Well this is a tricky one. Trying to think of and remember the various tools we use in every day life. Most of Stuart Bruce Associates runs on Microsoft Office 365, which as far as I know has Roll-Royce levels of security and GDPR compliance. For finance and accounts we use FreeAgent, which used to be a fantastic independent Scottish software company, but is now still fantastic, just owned by a big bank.

These are the tools we use (and therefore where your data might reside):

  • Microsoft Office 365 Business – Outlook, OneDrive, OneNote, Flow, Excel, PowerPoint, Word, Teams, To-Do, Planner, Sway.
  • FreeAgent – for accounts.
  • Zapier – to help automate and sync stuff.
  • IFTTT – to help automate and sync stuff.
  • Microsoft Flow – part of Office 365 so already mentioned, but worth mentioning separately as used for automation in similar way to Zapier, but with the added bonus of being Rolls-Royce levels of Microsoft safety.
  • Pipedrive – a CRM (contact relationship management) system.
  • PieSync – to sync contact data between Office 365 and Pipedrive, and hopefully at some point MailChimp, but I’ve still got to work out the GDPR workflow probably using Flow or Zapier.
  • Android – contact data is synced to Outlook on mobiles, which means Android then syncs it to the native contact app to make it all work properly
  • Truecaller – an Android app that tells you who is calling, even if they aren’t one of your contacts. No idea how GDPR compliant it is, but it’s their data, not mine, and it’s essential as helps me to avoid all those “you’ve been in an accident” and “time to upgrade your mobile” calls.
  • Apps4.Pro.Planner – syncs Microsoft Planner tasks with Outlook.
  • WordPress – the company website and my personal blog both run on self-hosted WordPress, The host is Paragon Internet Group. There are obviously cookies (not the kind you eat) to track stuff like Google Analytics and in some of the third party plug-ins. I use the JetPack plug-in to provide a cookie opt-in bar, even though it’s fairly pointless as probably less than 1% of visitors care, but it’s the law so sorry for annoying you with it.
  • MalCare – protects all our websites.

I also have a MailChimp mailing list, which I very rarely use, but was ‘cleaned’ a week before the 25 May deadline. Just under 100 emails were ‘dead’, about 20 people unsubscribed, but the best bit was just under 20 people emailed me to say I’d sent one of the ‘best’ GDPR emails they’d received. I call that a result. Not that I really need ‘consent’ anyway as it’s all B2B communication to mainly [email protected] type email addresses, except for people who’ve chosen to use a personal email address, which is their prerogative. I use it for a NEWSletter. The clue’s in the name. NEWS, not marketing bull****. It’s mainly news and views about the future of modernised public relations, reputation management, public affairs and corporate communications. It’s never heavy sales or marketing stuff, so you won’t be getting any ‘Buy One Get One Free’ offers.

The part that I can’t control is some of the organisations and companies I link to – Twitter, Amazon etc. They’ll have their own privacy policy so if you follow those links, just be aware that their privacy and security policies will be different to mine.

Social media

It’s the 21st century folks so social media is essential to running a successful consultancy business (well actually pretty damned important for any business) so we’re using Twitter, Facebook, LinkedIn, Instagram, Snapchat, Pinterest… in fact I (Stuart) have an account on just about every platform going. I don’t use them all, all of the time, but need to keep my hand in so I can help my clients (and grow my business). That means if a shiny new thing launches chances are I’ll be an early adopter… and if most recent launches are anything to go by… an early dormant account as I’ll keep it open (to protect my user ID which is nearly always stuartbruce or stuartbrucepr), but won’t use it much. If you’re on any of these platforms I might try to connect and interact with you, because that’s the nice and professional thing to do. I won’t be offended if you don’t reciprocate (OK maybe a tiny bit offended).


We try to be as secure as possible. Every cloud service we use has a different secure password, controlled by a world-class password management system. And on most services we’ve activated two-factor authentication – this means having the password isn’t enough as you’ve also got to enter a second separate code that you get by text message or Microsoft Authenticator.

Laptops, tablets and mobiles are all password protected.

All of my websites are protected by MalCare..

Data we collect

Obviously we only collect personal data that’s essential to running the business and living life. And there’s the problem. The business is public RELATIONS. How the **** can you have good relations with someone or something if you deliberately forget stuff you know about them. It makes you a rude, ****hole.

So rather than trying to answer the impossible question of what data, it’s probably better to understand why. It’s to help me a better person and be a better public relations professional. I believe it’s negligent and incompetent not to use all of the knowledge you possess to do the very best you can.

On a practical level it means if you’ve been on a training course I’ve run and I discover you’re interested in something then I’ll try to make a note of it so if I spot anything about that topic I can send it to you, just to be helpful. I’ve got a memory like a sieve, so I don’t stand a chance of remembering it if I don’t make a note. The same applies if you’re a consultancy client and you mention over coffee that you’re interested in something, I’ll make a note in case I can help in future.

Knowing stuff like this also helps me with relationships. If somebody says “does anyone know someone who knows about/can help with……” I like to help and say “Yes, I know….. “, but I can’t do that unless I’ve made some notes and kept your data.

I also keep it because I’m quite hoping you might hire me in future to help you modernise or improve your public relations, public affairs and corporate communications. It’s kind of why I run a business. So I can feed, cloth and keep a roof over the head of myself and my family… and enjoy the occasional holiday. I’m hoping you don’t begrudge me that.

So I’m not going to give a definitive list of ‘what data’ as that will constantly change, but it includes all the obvious stuff – name, contact details, bank stuff if you’ve got to pay me or I’ve got to pay you, what services I’ve provided for you (even if it’s via a third party, because I’d bit of **** and incompetent fool if I couldn’t remember what I’d done for you).

There’s also this bit about ‘sensitive data’ which bizarrely includes politics and trade unions. Well frankly I’m baffled as to why they should be sensitive. I’m a disgruntled member of the UK Labour Party and have been for 30 years and remain one even though I think the current leadership is betraying and destroying the party. I’ve also been a member of Unite (but quit as its general secretary is ruining what was once a great trade union) and am just trying to decide which is the best union for me to belong to – Community, NUJ and Prospect are all attractive. I’m telling you this because I don’t think it’s sensitive at all and I WILL record this about you. Because it means we’ve got something in common, something to chat about over coffee, beer or wine. It’s what nice people do, They listen and take an interest in others. If that’s a problem for you, then I’ll happily delete it. But the problem with that is for lots of people I don’t know or can’t remember. If you ask me to delete it from my notes then one thing you can be certain of is it will suddenly be at the top of my mind so I will know and remember. Without a Men in Black style ray gun to erase my memory, there’s nothing either of us can do about that.

Transferring data

Another tricky one. We will never deliberately transfer your data outside of the EU and if outside the EU then all of our cloud providers are (as far as we are aware) GDPR compliant. However, I travel a lot. And that means all of the contacts on my mobile and laptop travel with me. That’s because I need to work when I’m overseas. If I didn’t do this I’d have to close my business. Then I’d be penniless and my family would starve (well maybe not starve, but you get the picture). So I’m going to keep doing this. But all my devices are very password protected by Windows 10, iOS and Microsoft Launcher on my mobile. That’s as good as it gets folks.

Forgetting you

This is the bit of GDPR that quite frankly baffles me. Why the heck would I ever want to forget people? Why would I want them to forget me? It’s insane. I don’t want to be forgotten and end up as a hermit.

The clue’s in the name of what I  do. Public relations. How can you possibly have good relations if you deliberately forget people? It makes you a rude, ignorant ****hole. Since I’m in the business of relationships and passionately believe in how essential historical records are… I don’t generally get rid of anything unless I absolutely have to. It breaks my heart to see things destroyed. But GDPR says people have got the right to be forgotten. So if you really want to cut off all ties then just please let me know and I’ll obliterate all references to you. What I can’t promise is I won’t ‘rediscover’ you as we must have ‘known’ each other at some point, so it’s possible our paths will cross again and if I’ve obliterated you then I probably won’t remember you asked to be obliterated.

For people who are in my Outlook contacts, on my MailChimp list, I’m connected to on LinkedIn, Facebook, Twitter, Instagram, Snapchat…. I could go on for ever. For those people I’ll probably occasionally send you an email or private message just to stay in touch. Or there again, I might not. Depends how busy I am.

If you do ask to be forgotten then remember it’s only things I 100% control that I can do that with. So if we’ve got interactions via third party services such as PayPal then it’s not my job to sort that out. We also can’t forget financial stuff as the tax woman says we’ve got to keep those records for six years and I don’t want to end up in prison, just to satisfy your paranoid right to be forgotten.

Lawful grounds for processing

Dead easy this one. So me and my family aren’t homeless and don’t starve. In other words everything I ever do with your data is because I believe it’s absolutely necessary for my business to function and even grow.

Have I missed anything?

Yes, probably I have. I’m doing my best to be a good GDPR compliant business, but the legislation really wasn’t designed for small and micro-businesses, we’re just getting screwed because the big boys and girls like mobile phone networks, social network services and banks couldn’t get their act together and too often shafted their own customers. If you spot something I’ve missed then please let me know (preferably privately and politely) and I’ll see what I can do to fix it.

Last update on 2 September 2018. Previous update on 8 June 2018. First published on Thursday 17 May 2018.[/vc_column_text][/vc_column][/vc_row]