It is the easiest excuse on the books right now. You want to do that…I am sorry data protection law prohibits it. Somethings are truly not allowed under data protection law, but sometimes people just use this as an excuse that they assume very few people can argue against. They just want to say “No”, it has nothing to do with data protection.


As a data protection consultant, it is my job to find a data protection compliant way to do things. Whether it be sending emails to clients, checking in visitors at the front desk, logging access by employees to certain files, or a thousand other things that happen every day in a company, my job is to direct companies in finding ways to do these tasks in accordance with data protection law.

Of course, some things are inherently risky and should probably not be done at all, but this is a rare case. Sometimes there are also cases where the road to compliance is difficult and cumbersome, but the GDPR was not created to halt life, but to protect our data and how it is used.

Maybe you are wondering why I decided to write a blog article on such a topic…well it comes from someone (possibly inadvertently) telling me, who knows a little about data protection law, that something is prohibited by data protection law, when I know for a fact that it is not. This happens more often than I would like and I feel like the GDPR and its protections are being used as a scape goat to say “No” without actually saying, “I just don’t want to do that.”


However, maybe it is also the thought of many, that data protection law regulates an immense amount of our daily activities, so much so that people do not know what exactly is prohibited. This is then exacerbated by the fact that people hear, all the time, someone, they trust or believe to be knowledgeable, saying “data protection law does not allow us to do THAT.”

I truly hope that the clients that I consult do not think that I come in to halt their daily activities but come to support them in protecting their employees, customers and vendors. I want to be a protector of personal data, a problem solver, not a naysayer blocking things that a company wants to do and blaming it on data protection law. Companies require the use of data to achieve their goals, I want to help them brainstorm ways to be compliant, protect personal data and complete the tasks that they require to do their jobs.