5 mins to read

This DPN represents the limited data processing activities that enable me to deliver my services as a consultant.

Who am I?

Legally speaking my name is Nathan Kinch. But I do my work through a ‘legal fiction’, a company called Greater Than X Pty Ltd.

If you’re asking, “Why is your URL Trustworthy by Design?” it’s because the focus of my work is just that. I seek to go beyond a focus on trust states and contribute to organising and operating structures that are trustworthy by design. If you want to get into the details of what that means and how we can achieve it, reach out!

Why does this site process data?

This site processes non-sensitive personal data in an attempt to:

1. Effectively communicate a commercial proposition I am offering

2. Enable anyone that is interested in said commercial proposition to contact me

I have deliberately minimised all data processing activities on this site. I’ve done the same for active workflows relating to my independent consulting services (once I’m working with a client).

To support the simplicity and minimalism of this approach, the lawful basis relied upon for these processing activies is contract: This is because I only process data:

1. When you’ve explicitly shown interest in working together (there’s intent to enter into a contract)

2. To deliver my consulting services as part of a formal engagement (we actually have a contract)

What data does this site process?

Most sites drop cookies and other tracking tech (small text files that may be stored on your devices i.e. “terminal equipment”), regardless of what they ‘disclose’. This is arguably a massive failure - in the context of privacy and related rights - of the client:server architecture of the web.

To limit this as much as possible I have switched off the Squarespace activity log (Squarespace is the content management system I use). I have also disabled cookies. This means non-essential cookies (note my commentary above…) are not ‘dropped’.

You can copy and paste this link into your preferred browser for a full breakdown of ‘essential’ versus ‘non-essential’ cookies in the world of
Squarespace: https://support.squarespace.com/hc/en-us/articles/360001264507#toc-analytics-and-performance-cookies

Please note, I disagree with their assessment of ‘essential’.

For more detail you can also copy and paste this link for an analysis of this site: https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fwww.trustworthyby.design%2F

Here’s another external report from The Markup’s Blacklight: https://themarkup.org/blacklight?url=www.trustworthyby.design

I also limit data processing by never using the analytics functions of Squarespace. Behavioural analysis isn’t part of any active workflow I engage in.

When you contact me, the form I’ve designed requires you to submit your email address and a message. You can choose to add your name if you’re comfortable and feel it helps. This data is sent to my email (ProtonMail). I then use the information you’ve submitted through the form to contact you back.

It’s noteworthy that, in the course of delivering a consulting engagement, I will very likely process additional data about you. This is covered in more detail in the next question as it relates to the tools being used to deliver a given service.

For the most part, however, I use the tools my clients prefer. This means I operate from within your secure environment wherever possible.

What tools do I use to enable my consulting and speaking services?

I use a simple suite of tools to deliver my consulting proposition. Namely:

1. Squarespace: This is the content management system that enables me to create, edit and host this site.

2. ProtonMail: This is the service I use for encrypted emails. Every non-project related email I receive is deleted after two weeks. Project related emails are retained as, putting it frankly, they may be needed down the track to justify certain decisions, actions etc.

3. Gsuite: This enables me to create spreadsheets, presentations and other simple outputs that support the consulting process.

4. Mural: This tool enables me to design and facilitate workshops and presentations. In almost all cases, I send a visitor link to clients. This enables them to access the Mural for a given activity with limited data processing activities on behalf of Mural itself.

5. Social Media: I use LinkedIn. This helps me communicate things that relate to my work. This can lead to people reaching out to me, discussions starting etc. When this is the case, I am technically processing data in the course of business activities. To keep this simple, I do not use the data from these platforms for any purpose other than attempting to understand your needs and proposing a way we might work together (if you’ve communicated explicit interest in doing so).

I use other services that help with accounting and banking. I also use a phone and the computer I created this site with.

As soon as any of this evolves I’ll update this notice.

Do I share this data with any other parties?

No. I deliver direct consulting engagements independently. I have no legitimate reason to share any data that you have shared with me in the course of our relationship.

This is slightly different when I’ve been asked by a partner to contribute to something. But as above, the goal is always to work within approved and decently secure environments of the clients’ choosing.

Do I conduct automated profiling or decision-making?

No.

How do I mitigate risks (i.e. data breaches)?

I’ve designed workflows that actively minimise the data I have the ability to access. This is one of the better mitigation tactics. In addition, I use various Identity and Access Management protocols (password management, at least two factors of authentication etc.) to limit unlawful access.

If a breach occurs, or is suspected to have occurred, I execute a process aligned to the OAIC’s Notifiable Data Breach Scheme. I:

1. Assess the incident

2. Mitigate the impact

3. Communicate with relevant stakeholders, and

4. Ensure any preventable weaknesses are improved as quickly as possible

Putting it simply, if I make a mistake, I will own the consequences.

What rights do you have?

Look, in simple terms, whatever you like.

Want me to delete any data I have ever processed about you? Totally cool. Happy to do it.

Want a copy of any data I hold in a machine readable format? As good as done.

Want to update an error about your information? As soon as you let me know it’ll be done.

Contact me directly and any of the above will be done within 72 hours.

This stuff will get easier over time. The architecture of the modern web has got to become more person centric and decentralised. Until then, I’ll work with you in any way that’s meaningful to you.

Oh, and if you aren’t happy with that I’m doing, please let me know first. If there are any other issues, please content the data protection or privacy authority in your region.