Skip to content

GDPR: What is it and is it time for Lean Data?

GDPR is a hot topic right now. But what is it? Why is it the cause of a lot of panic. Might it be the catalyst we need to revise our data strategy?

I love data (more than most people). If you’ve read this blog before you may have noticed. But maybe we need to cut back on an unhealthy addiction… Should we be trying Lean Data? What even is Lean Data?

What is GDPR?

The General Data Protection Regulation covers the following core themes:
Clearer responsibility and accountability for users’ data
Organisations need to show a lawful basis for collecting the data
Users must consent to have their data collected and used
Data must be securely stored (in the eventuality of a breach a user’s data should remain anonymous)
Organisations should also be transparent and communicate any breaches to users

Putting more clauses in your End User License Agreement (EULA) is no longer an effective strategy. That puts all the power in the hands of organisations. It places all culpability on the users – for agreeing to use a service.

Dima Yarovinsky prints out the ‘terms of service’ of leading online services such as Facebook, Snapchat, Instagram and Tinder on standard A4-size rolls. The project aims to visualize how small and helpless users are against large corporations.

Transparency and care is the name of the game. Being open and honest in what data you are capturing and why. Making sure the users understand. Handling their data with care. Making every endeavour to protect their privacy.

Another surprise EU legislation, eh?

Actually, the GDPR was approved by the EU Parliament around two years ago (April 2016). This was after around four years of preparation and debate.

This is far from sprung on us. It’s just taken a while for everyone to realise how soon it’s coming and give it the priority it needs.

What happens if we don’t comply?

From 25th May 2018 onward, any organizations in non-compliance may face heavy fines. The potential fines are HUGE. A good reason to worry about being in compliance with the Regulation.

There will be two levels of fines:

  1. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year. Whichever is higher.
  2. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year. Whichever is higher.

In a company with a turnover of billions. Those small percentages amount to hundreds of millions.

This may have worked in the past – the cost implications now are too scary to ignore though

Is user data a bad thing then?

In and of itself, data is neither good or bad. What matters is how it is collected, stored, and used.

Data can be a force for good
Think Netflix, Spotify, or Amazon recommendations. Think Google maps or Waze traffic updates.
Data can also be a force for bad
Think Cambridge Analytica. Think of the regular data breaches of big organisations you read about online.

Have you ever checked if your details have been compromised?

Look up your email address on have I been pwned to find out.

Good or bad … data can be both (as can the organisations that use it)

Big data – THE FUTURE

Big data has been been as the holy grail of direct and digital.

  • The more we know, the more we can target specific user types, groups, and individuals.
  • The more we measure the smarter we can be.
  • The more we capture, the better we can understand.

But is it really working out this way?

How much of the information is actually useful or used?

Do we have too much data and too much liability from it?

Hoarding data: Time for a spring clean?

Each time we move to a new system. We migrate the existing customer data. Much of it is is out of date or incomplete.

We hate to throw anything out. So along it comes – like the box in the attic that you last opened three houses ago. Illustration by Rory Walker (

Hands up if you have a spreadsheet with data exported from a system at some point in the past?

A stack out of date CVs tucked away in a folder?

A product list from yesteryear?

Do we need to stop hoarding everything and have a clear out? Think of it like that power adapter for a camcorder or mobile phone you had in the late nineties. Will it ever  be useful again or is it just clutter now?

Use it or lose it

We’ve spent so much time and effort to collect this data. To house it for so long. To migrate it from system to system. It’s a painful thought to throw any of it out.

But we need to be asking ourselves:

  • What is its purpose?
  • What are we doing with it now?
  • What are we going to do with it?
  • When was it last checked?
  • Is it useful?

If we can’t give good answers to most of those questions. Is the data going to be worth the liability?

Scorched Earth: The safest option?

Many organizations are going for a scorched earth policy. They’ve made the decision that they are safer to start with a clean database. That deleting everything is preferable to preserving the useful data.

Doing this avoids the risk. It saves them the time and complication of trying to work out what is and isn’t safe to keep.

Scorched Earth. Illustration by Rory Walker (

Implied Acceptance: The easy option?

You’ve likely received many emails on this subject lately. They tend to go for a simple, “we’ve updated our user policy, you can read about the changes here..” These are the basic option – implied acceptance. You’ve been informed. You have the option to follow a link and cancel your account / update preferences if you chose.

If you do nothing, then the implication is that you agree.

This is much like the policy many companies ended up taking when the EU cookie legislation came in.

We barely notice the little disclaimers that pop up on our first visit to a site. We quickly close them. Or they disappear once we’ve clicked any link. Because doing so implies our acceptance.

Ask users to update their records: The best option?

Is this an opportunity to turn our fuzzy dangerous user data back into something useful? By sending out emails we can achieve one thing immediately. Any bounce backs are invalid email addresses. This immediately helps us discard a lot of obsolete records.

We could also provide a link to allow the users to update their contact preferences.

An example of a direct call to action. Asking the the users to update their preferences. Making this about the user and their needs.

This immediately updates a lot of fuzzy records. Turning them into a smaller but accurate set of marketable user records. These are records we know 100% are valid and can be contacted in the future.

A smaller set of accurate records you can trust and use is preferable to starting over. It’s also preferable to keeping a larger list of dubious records we might get a hefty fine for contacting.

Lean data: Catch only what you need

All this helps tidy up the mess of the past. But what about the future? How can we be better prepared to avoid a repeat in the future?

Sustainable Data. Illustration by Rory Walker (

Should we also be more selective on what we capture in the future? Collecting only the snippets we know we will use? Ditching the existing kitchen-sink approach?

Think line fishing over trawler fishing.

Think sustainable data.

Think Lean Data.

Thank you for reading

You reached the end. Thank you for persevering. Let me know if you if you found this article useful and want to read more pieces like this.

My thanks to Rory Walker for contributing an illustration. It’s the first of a set he’s agreed to produce. So look forward to seeing more of his work in upcoming articles. You can see more of his work at