5 hidden GDPR minefields you might have overlooked

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up


Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday


If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer


Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

As more and more SMEs begin to realise the importance of getting a head-start on GDPR compliance, we’ve been out and about helping them understand where changes need to be made in their personal data processing.

Of course, every company is different – no two organisations handle data in identical ways and processes differ considerably from sector to sector. The steps to achieving compliance for a marketing agency will vary from those required by a legal firm, for example.

However, through delivering GDPR workshops tailored to a large number of different businesses we’ve noticed a few common regulation-breaching activities that are frequently being overlooked. And when we’ve flagged these up, they’ve all been met with the same response: “I didn’t think about that!”

So, to help ensure you do think about them and don’t fall victim to the same accidental oversights, here are our top five GDPR minefields you might have overlooked:

1.       Visitor books

Often located in the reception and within easy access of the main door to the office, the visitor book is packed full of personal data such as full names, contact details and vehicle registration numbers. In busy offices with lots of people coming and going, it’s easier than you might think for records like these to go ‘missing’. And depending on how frequently you host guests and how quickly your book fills up, you could be holding data for months, during which time it could easily become inaccurate and out of date – directly breaking one of the 6 data processing principles.

2.       Shared passwords

We all know the advice: don’t use the same password for multiple accounts because if one gets hacked, it’s likely that they all will be. Admittedly, it is easier to have one all-encompassing combination – particularly within a business – but it can be a risky move, especially if it’s written down somewhere. One of the rules of the GDPR is that adequate protection of personal data is in place and can be proven, so an updated password policy should definitely be on your compliance checklist.

3.       Job applications

Once a vacancy has been filled in a business, the focus turns to ensuring the new recruit is settling in and getting to grips with their role. But what happens to all the CVs from unsuccessful applicants that you had pouring into your inbox? Personal data can only be held for the duration it’s needed under the GDPR, so – unless you have an individual’s consent that you can retain their details for future positions – you need to be careful not to store it for longer than necessary.

4.       Little black books

(The business kind, of course!) Many companies have a ‘little black book’ of sorts, where the most secretive data – such as credit card details and bank numbers – is recorded for easy access to those who need it frequently. And while such a practice might seem like a harmless timesaver, what if that record fell into the wrong hands? Taking note of the data you store in this way and carefully assessing the safeguarding measures you have in place is crucial.

5.       Marketing lists

It’s more than likely that your marketing database is going to need some kind of GDPR-proofing before 25 May 2018 arrives. The way that you obtain consent for a potential customer to be added to your email list, for example, will probably need to be altered as the new rules require an explicit ‘opt in’ from the individual – no more sneaky check-boxes allowed! Along with ensuring you have permission for personal data to be stored, keeping your distribution lists up-to-date and accurate is similarly crucial – forget to remove unsubscribers at your peril…

These are just a few things you might need to take a closer look at in your own business, but this list by no means covers the extent of what you need to consider. No matter how far along you are in your journey to compliance, failing to cover standard data processing practices like these could result in a letter/call/email from the Information Commissioner’s Office that you really don’t want to receive!


To find out more about how to get your personal data processes in tip-top, GDPR-compliant shape, just give us a shout!

5 hidden GDPR minefields you might have overlooked