Weirdo Logo
Co-creator login

How to build a creative business on sensitive personal data

September 11, 2020
Michelle Yeadon

Data protection wasn’t an easy box for us to tick.

When you’re starting a new creative agency there are lots of things to do and data protection might be low on the list. Typically you need to have usage terms and a privacy policy on your website. And you probably want some rigour behind it in the form of a data protection policy that you use internally. But if there are only two of you, things might be a little basic to start with. And what personal data would you be dealing with anyway?

But things are different for us. Our business model is new and it relies on collecting personal data about individuals so we can involve them in creative workshops. Before we can deliver our services, we need personal data, lots of it, and much of it is very sensitive.

We’re going beyond asking people for their name and email address. And this isn’t just A/S/L either - pardon the late 90s internet reference. We want to know some pretty hard-edged information - your ethnic background, sexual orientation, religious affiliation, whether you have any disabilities. We ask for softer data as well - like a description of your creativity and recent work examples. We want to build diverse creative teams within a brand’s audience to deliver truly unique, culturally-relevant and effective ideas. So we craft our teams with diversity as the priority.

In order to launch our business, we had to start with data protection and privacy, which is why one of our first conversations was with Susie Ewing of Seven Seven Associates. She specialises in legal matters for the creative industries and worked collaboratively with us to put data protection at the core of our business.

Five principles guided our choices: 1) Minimisation 2) Accessibility 3) Control 4) Security and 5) Sustainability.


Data minimisation is a tenet of the GDPR. We shouldn’t be asking for things we don’t need, but actually we need to know a lot in order for our business model to work. We want to welcome full and real people into a group where they feel seen, heard and comfortable. It seems natural that we should therefore provide as many possible options in our gender drop-down list, for example to cover non-binary or gender fluid participants. But there’s a reason we don’t - we need a sense of the characteristics of our potential participants, not the specific characteristics. In order to practice minimisation, we provide options that allow people to identify themselves with as much detail as we need and no more. And we do this fully aware of the limits of data - it goes without saying that people are far more complex than any form can capture.

We do this fully aware of the limits of data - it goes without saying that people are far more complex than any form can capture.


We ask for a lot of things, and only we know how the business model works and all the internal processes we will go through to plan and run a creative workshop. In many cases, our workshop participants won’t have a background working in marketing or advertising, which is part of why their contribution is so valuable. It’s important that we provide a transparent view into why we are asking for things. With every data point we request, we explain why we need it. We also explain why we’re asking for so little information - see our approach to Minimisation above.


Anyone who shares their data with us gives us explicit consent to have it and use it to run workshops. Every person does and should have the right to request access to their personal data and to edit or delete it. We have a detailed process in place for handling requests like this as quickly as we can. We’ve chosen to have a portal on our website where individuals can manage their own data. Additionally, when people supply their information to us, we make it easy for them to choose what they want to share and what they don’t.


We have a duty to keep personal data secure. We have a full impact assessment process that we have gone through for our launch and will conduct for every single workshop project we plan. We’ve created a data storage process around projects that will enable us to pseudonymise and anonymise personal data as soon as we can. 


All of these processes shouldn’t just be built for now. Everything we put in place needs to be sustainable when we have the data of thousands of individuals, when we have a team that is more than just us two, and when the personal data we hold starts to age. We’ve done the preparation already - creating all the recommended data protection policies and onboarding documents for new staff members and creating all the database functionality to manage data (including removing it when it gets out of date).

We believe that more businesses should embrace diversity in their creative process, so courtesy of Susie, we want to make the framework for data protection available to anyone who wants to follow in our footsteps.


1. Process flow chart

2. Document framework

We want to keep the conversation going and we’ll be posting updates as we test our approach. In the meantime, if you’d like to find out more about what we, so don’t hesitate to get in touch. We’re always ready to chat.

October 6, 2020


Resources, research and news.
For more follow on Instagram.
All articles
All rights reserved. © Weirdo Limited 2020.