Why I Refused to Hand Over ‘Your’ Data

00:00

"It's our data. Give it to us." I've heard that at least twice in the last 2 years, and both times the person saying it believed it was a complete argument. Well, it isn't. And here's why. The data is not yours. It belongs to the people it's about. Your clients, your employees, your donors.

00:25

You are not the owner, you are the custodian. And custodianship is not a privilege, it is a liability, a legal one. And that liability sits with your board, not your IT manager, not your software agency, yours. So, when CEOs ask their IT team, "How do we get our data back from a departing supplier?" They get an IT answer. "Oh, zip it up, stick it on a USB drive, email it over,

00:56

drop it on an FTP server." And I have been asked more than once to transfer client data by email, USB stick, unsecured FTP connection, and on one occasion even fax. My answer, every time, has been no. Not to obstruct, but because saying yes would have been a breach of my own statutory obligations as a data processor.

01:26

Under UK GDPR, both the controller and the processor carry independent legal obligations. A controller cannot instruct a processor to transfer data insecurely. The processor must refuse. The ICO confirmed this in a landmark ruling earlier this year and fined accordingly. The Capita fine last October was 14 million pounds, Split across both the controller and the

02:00

processor for the same breach, both parties were separately liable. "We didn't know." is not a defense. The law requires you not just to comply, but to be able to demonstrate that you comply. So, contrary to what you may have been led to believe, data governance is not an IT problem. It never was. It is a fiduciary duty, and it sits squarely with you.