If I owned a Koenigsegg CCXR Trevita (worth > $4M) and you borrowed it, I’d expect you to treat it right. Please don’t crash it into a tree, certainly don’t leave it unlocked, and absolutely don’t scratch it with a buggy.


What if I did own that car and I lent it to you, but then something bad happened that wasn’t 100% your fault.

If I lent it to you and I went on vacation for a week, would you lend it to someone else? What if they then lend it on again and it’s that person who scratches it with a buggy? Who is ultimately responsible to me?

What if one your teenage kids finds the keys and takes it out for a spin, or what if you did leave it unlocked and someone stole it? Who is responsible in this instance?

Well, you, you and you again – if I lend you my car, then you have to treat it well. I expect you to understand that the responsibility for keeping the car safe passes along with the car. If you lent it to someone else or your children find the keys or it gets stolen because you left it unlocked, then it is you who has the responsibility back to me as I couldn’t have expected you to have made those poor decisions that allows someone else to break, lose, or steal it.

I use this analogy in presentations to help explain the background of so many new regulations being published around data privacy, such as the GDPR for EU citizens. In almost every jurisdiction worldwide there are new laws coming into force and the basis of many of them is just like the car:

  • The user owns their own data
  • If you are given it, it is only ever as a loan, they can demand it back (data deletion)
  • Treat it with respect, control what happens to it (log data movement)
  • Keep it safe in every way that you can (implementing security controls)
  • Don’t give it to others without thinking about it (subcontractors, unapproved cloud services etc.)
  • If you are passing it to someone else, make sure that they understand its value (train your employees as well as ensuring 3rd parties and cloud services safeguard the data)
  • Don’t leave the keys hanging around (encrypt the data, preferably keeping your keys on your premise)

The European Union GDPR: An Action Guide for IT

This ebook explores the 10 major aspects of the law, provides a GDPR action guide, and a path to implementing your plan.

Download Now

There have been many cases of medical data and personal information on children being lost. You can reissue a lost credit card number, but some data is especially sensitive. For example you can’t change your blood type and if that data is lost, it can’t be changed. I’ve got a normal car, not a Koenigsegg obviously, but I think that my own data and that of my family is more precious that a lump of metal that moves us around.

We should treat all data on our customers, suppliers, prospects and employees as if each record is a $4M supercar, then we have the right framework to keep data safe and complying with regulations and laws will be much easier too.