Fantasy GDPR – Your new data protection regime

December 2020

130 people, battle-scarred data professionals all, chose to cry havoc and unleash the Dogs of Data by taking part in our epic Fantasy GDPR quiz. These gnarly heroes have told us who they’d like to spend lockdown with, put a data protection principle to the sword and crowned new lawful bases.

Songs will be sung of their deeds down the ages (but only by skalds and bards who’ve a legitimate interest to do so, having completed the appropriate balancing test).

You’re in COVID lockdown, only one person can join you – WHO would you pick?

.. And the winner is the Conan the Barbarian of Privacy, slayer of the EU-US Safe Harbor and Privacy Shield, the one and only… Max Schrems!

You‘ll see everyone’s favourite Canadian data protection wizard, Elizabeth Denham, came a close second.

(Poor Dido Harding came in last, which is a shame because I really liked her first album).

Which data protection principle is out?

We asked which data protection principle you’d most like to consign to a dungeon for eternity. In YOUR glittering new data protection regime, you can keep personal data FOR AS LONG AS YOU LIKE! That’s right, for eternity, or until you run out of server capacity.

(This caused much wailing and gnashing of teeth here at the DPN, as this leaves our extensive Data Retention Guidance somewhat redundant).

2% Lawful, fair, transparent
15% Purpose limitation
10% Data minimisation
6% Accuracy
31% Storage limitation (data retention)
0% Security and confidentiality
11% Accountability
25% All of them, I know a guy in Kazakhstan with a call centre, who can do it on the cheap

And as if to confirm the heroic decency of our data heroes, notice how few wanted to get rid of ‘Lawful, fair and Transparent’. Okay, so we’ve got a few rogues knocking about, but variety is the spice of life (etc) – a fair few of you wanted to outsource the whole thing to our dodgy mate in Kazakhstan.

Six lawful bases just weren’t enough, what are we adding?

A number of suggestions here, so we narrowed it down. Moving forward you’ll be able to process personal data lawfully under one of the following shiny new bases;

  • Kindness – processing personal data in the pursuit of acts of generosity and kindness
  • Rule of Mum – processing personal data because your mum said it was okay
  • Christmas – processing personal data for reasons of good festive cheer

(Whoever suggested “because we really REALLY want to” should be ashamed of themselves and gets to spend the next lockdown with Dido Harding).

Complicated words are ditched!


We asked what would you’d most like to ditch.

And by popular demand, the word pseudonymisation is henceforth scrapped.

Mainly because most of us struggle to spell it.



Favourite data protection tasks? 

Genuinely surprised subject access requests got any votes (you voted for Dido Harding too, didn’t you?).

Something else?

You’ve added a few … moving forward the DPO role will be expanded and officially include the routine tasks of saying ‘it depends’, ‘no you don’t need consent’ and ‘beating my head against wall while explaining lawful bases for the umpteenth time’.


Forget adequacy, SCCs and BCRs, we’ll get the data flowing ..

A hot topic at the moment so we asked: what’s the best way to handle international transfers?

19% Take it in a small boat under the cover of darkness
55% Just tell people in your privacy notice you absolutely do have adequate safeguards in place
7% Ask the dodgy guy you met down the pub to smuggle it through on his next overseas trip
12% Use a carrier pigeon
7% Steal a motorbike and head for the border with it hidden in your saddle bags

There was widespread agreement you simply need to tell people in your privacy notice that everything is okay – all hail the power of a hero’s sworn oath!

However, we notice the not inconsiderable number of adventurers among your ranks – preferring pigeons and dinghies as a way of transferring data.

Safe Harbor, Privacy Shield … what next?

As promised, we will be submitting your ideas to the European Commission (honest) for what any future EU-US data transfer agreement should be called. And the finalists are (drum roll) …

  • Cordon Sanitaire (a nice Francais flavour)
  • M.D.T.G.A. – Make Data Transfers Great Again
  • Data Armour (a little optimistic?)

Fantasy GDPR tells us what we already knew about you all – you’re heroic, kind and have an abundance of common sense. However, you aren’t so keen on DSARs or data retention. A fascinating set of results, I hope you’ll agree – and here’s to a brilliant 2021 to all of our friends, clients and readers!


Okay, back to the real-world.  If your data protection team is overstretched we can help. Find out more about our Privacy Manager Service