A society with members in sixty countries, a research project spanning four institutions, a conference with delegates from everywhere: academic data is international by default, and the regulatory map underneath it is not. UK GDPR is the floor, not the ceiling.
Where web estates trip
- Analytics and embeds. Third-party scripts ship visitor data abroad before the cookie banner finishes rendering. Self-host what you can and measure with consentless, aggregate tools where possible.
- Forms. Every form is a data flow. Know where submissions rest, who processes them, and under what agreement.
- Email platforms. Member mailing lists live in someone’s cloud; check whose, and under which transfer mechanism.
- Backups. A copy of the database is a copy of the personal data — retention rules apply to it too.
None of this requires fear; it requires an inventory. List the flows, name the processors, minimise what you collect, and prefer infrastructure in jurisdictions your members would expect. Privacy-conscious engineering is mostly the same thing as good engineering, done deliberately.
Mapping your flows in an afternoon
Take a sheet with four columns: what data, where it’s collected, where it rests, who processes it. Walk your estate: every form, every analytics script, every embed, the mailing platform, the CRM, the backups. Most organisations find ten to fifteen flows, of which two or three are surprises — usually an old form still posting to a retired service, or an embed shipping more than expected.
For each flow, note the lawful basis and the transfer mechanism if it leaves the UK or EEA. Where a processor is in the US, check for an adequacy-framework certification; where it isn’t certified, you need standard contractual clauses or a different processor.
Sensible defaults for academic estates
- Collect less. Every field you don’t ask for is a field you never have to protect, export, or explain.
- Prefer EU/UK-resident infrastructure for member data; the conversations are simply shorter.
- Self-host fonts, media, and scripts — convenience embeds are data flows in disguise.
- Write retention into the calendar: forms purge, logs rotate, backups expire on schedule.
None of this needs a legal department on retainer. It needs the inventory, a few deliberate choices, and the habit of asking ‘where does this go?’ before anything new is added to a page.
