Data protection¶

A tall wooden filing cabinet secured with a heavy padlock. The padlock is open. The key is in it. The top drawer is labelled MEMBER RECORDS — CONFIDENTIAL and has been left slightly ajar. A phoenix is roosting on top of the cabinet, glowing faintly. Nobody has noticed.

200,000 people chose to support this organisation. They gave their name, their address, their email, their bank details for a direct debit, and in some cases their personal circumstances. They did this because they trust the mission.

The GDPR exists to make that trust a legal obligation rather than just a moral one. An organisation of this size, holding this kind of data, has real obligations: to process data lawfully and transparently, to keep it accurate, to limit who can access it, to protect it appropriately, and to be able to demonstrate all of the above.

This section is not a legal guide. It is a practical map of the data protection work that intersects with the security architecture role: what data exists, where it lives, how it is protected, what happens when something goes wrong, and how cloud data residency fits into the picture.

The obligation is to the 200,000. Everything else follows from that.

GDPR obligations in practice
Data residency
Incident response