I Wasn't Tracking an FADP Exposure. The Strategic Council Was.
Listen to this article
Read by Coach Nigel Casey ยท 6 min read audio
I Wasn't Tracking an FADP Exposure. The Strategic Council Was.
The Strategic Council is the five-advisor panel I built into my own decision instrument before I productised it on MyBusinessAccelerator.io. Five independent perspectives, a Red Team whose schema-level mandate is to disagree, and a Chairman synthesis at the end. Friday's post will go inside the Council itself. This post is about the night I pointed it at my own business and it gave me a piece of news.
The Margin Advisor and the Operator agreed on something I had not been tracking. I was keeping raw learner voice recordings indefinitely in production storage. Every assessment, every clinic recording, every Sophie practice session had quietly left an audio file behind. It had felt routine. It had been routine for months. Nobody had complained. There was no incident.
Then the Council surfaced it.
The constraint.
The Swiss Federal Act on Data Protection does not name "audio recordings" specifically. What it names is the principle of proportionality (Art. 6) and the duty of transparency on retention (Art. 19). Together, those mean you cannot keep personal data longer than you need it for the stated purpose, and you have to be able to tell the data subject what you keep and for how long.
Raw audio of a learner's voice is personal data. It carries biometric content. Once the assessment has been scored and the transcript exists, the raw audio's purpose is done. Keeping it indefinitely is the textbook case of what proportionality forbids.
Doctor English PLS&C Sagl, the parent legal entity behind EFO, is the data controller. The obligation is mine, not the storage vendor's. The vendor's storage tier is happy to hold the audio forever at a few cents a month. The legal exposure scaled silently in the background while the cost stayed invisible.
This is the failure mode the Council exists to catch. Risks that nobody is paid to track, and that no incident has surfaced, sit in the blind spot until something goes wrong.
The decision.
The fix had to be structural, not operational. I am not going to remember to manually delete audio files every week. No founder is. The discipline has to live in code, not in human attention.
A nightly server agent in the data-protection cluster. Scoped to the relevant storage area so it cannot touch anything else. With a tunable retention window so the legal team (presently me) can move the threshold without rewriting anything. A daily audit trail of what was deleted, so a future auditor can verify the regime was operating.
Two alternatives I rejected.
First, deleting audio inline at the end of each assessment session. Tempting, because the deletion would happen the moment the transcript existed. Rejected because it couples the discharge of a legal obligation to the success path of a session. If anything fails mid-session, the audio survives. The nightly agent is decoupled from session success, which is the property the obligation actually needs.
Second, a storage-vendor lifecycle rule. Cleaner in principle. Rejected because the vendor's lifecycle rules did not give me the scoping precision I needed, and did not write to my own audit trail. The nightly agent is wordier, but its discipline is visible inside the system rather than buried in a vendor dashboard.
The transcript stays. Once the speech-to-text step has produced the transcript, that transcript is the lifetime-of-account artefact. It is what the Assessment Score Production agent reads to assign the CEFR band. It is what feeds the learner's progress dashboard. It is what an auditor would inspect to verify pedagogical quality. The transcript carries no biometric content. The transcript stays. The audio goes.
What got built.
A nightly audit-and-purge job in the data-protection cluster. It runs without my attention. It removes raw assessment audio older than the retention window, and it writes a daily record of what it removed. If a single file resists deletion, the agent reports the failure and continues. The next night picks up whatever was missed.
What is structurally impossible after this build.
Raw assessment audio lingering past the retention window. A future audit asking "what is your retention regime for personal voice data" and receiving the answer "we kept it forever". A learner data-subject-access request returning audio that should have been deleted weeks ago.
The cost was two days of build time. The harder cost was the realisation that the Council had caught an exposure I was not measuring. There is no metric in any dashboard for "FADP retention drift". The Council surfaces the absence, not the breach. That is the part I underestimated when I first built the Council for my own use, and it is the part that made me decide to productise it.
Why this is in the report.
The agent that runs this job sits in the Data Protection and Compliance department of the AI team report. The architectural rule in that department is the same rule that runs across the operation. A server agent owns the discharge of the obligation. Nothing depends on a human remembering. Sophie's coaching audio and the Live Clinic recordings are owned by different agents in the same department, each with its own retention window suited to its own purpose. One agent per domain principle.
This is also the test of an AI advisory council. Not whether it tells you something interesting. Whether its output produces protective infrastructure. The data-protection cron exists because the Strategic Council surfaced what I was not tracking. Within days, the gap was structurally closed by code. The deck is forgotten by the end of the week. The code lives by itself every night.
Friday's post goes inside the Council itself. The eight-agent structure, the two-round flow, the Red Team schema mandate, what makes the output worth productising. The five advisors and the Red Team are documented in Section 04 of the team report at `nigelcasey.com/agent-team-report.html`. The cron from this post is one of the canonical examples of what the Council produces when you run it on yourself first.
Sell the council you use yourself. That is the whole motto. The Audio Purge agent is what proves the motto travels from the deck into the operation.
When the Strategic Council ran on my own business, it surfaced an FADP-aligned data-retention exposure I was not tracking. Raw learner voice recordings were sitting indefinitely in production storage against Art. 6 (proportionality) and Art. 19 (transparency). A nightly agent in the data-protection cluster now removes raw assessment audio past the retention window and writes a daily audit trail. The transcript stays. The raw audio goes. What started as a Council recommendation is now production code that discharges a legal obligation owed by the parent entity, every night, without my attention.
If you're running an SME and any of this looks like work you should be doing, that is the side of things I help with.
Language Analysis
Select a category above to highlight those words in the text.
Learning Materials
Key Vocabulary
A situation in which a person or organisation is at risk of harm, loss, or legal liability; the unprotected side of a risk.
โI was not tracking an FADP exposure.โ
To bring something hidden or unnoticed into view; in advisory work, to identify a risk that no one was actively monitoring.
โThen the Council surfaced it.โ
A legal principle requiring that an action be no more invasive or extensive than necessary for its stated purpose; central to European and Swiss data-protection law.
โKeeping it indefinitely is the textbook case of what proportionality forbids.โ
Under data protection law, the legal entity that decides why and how personal data is processed and bears the legal responsibility for that processing.
โDoctor English PLS&C Sagl is the data controller. The obligation is mine, not the storage vendor's.โ
Information derived from a person's physical or behavioural traits (voice, face, fingerprint) that can be used to identify them; treated as sensitive personal data.
โRaw voice carries biometric content.โ
An area, often metaphorical, that one cannot see or attend to; in management, a category of risk that no one is paid to monitor.
โRisks that nobody is paid to track sit in the blind spot until something goes wrong.โ
Built into the architecture rather than depending on routine human effort; a structural fix removes the need for someone to remember.
โThe fix had to be structural, not operational.โ
To separate two things that were previously connected, so that one no longer depends on the other; a common architectural move in reliable systems.
โThe nightly agent is decoupled from session success.โ
A chronological record of actions taken by a system or person, kept so that a later inspection can verify what happened.
โA daily audit trail of what was deleted, so a future auditor can verify the regime was operating.โ
The period of time during which a piece of data is kept before being deleted; in data protection, the boundary that must not be exceeded without a legal basis.
โA tunable retention window so the legal team can move the threshold without rewriting anything.โ
To carry out or fulfil a duty completely; in legal English, the formal verb for satisfying what is required.
โProduction code that discharges a legal obligation owed by the parent entity, every night.โ
Code, processes, or controls that exist to defend a business against risk and continue working after the strategy meeting that surfaced the risk is forgotten.
โWhether its output produces protective infrastructure.โ
To think that something is smaller, less important, or less valuable than it really is.
โThat is the part I underestimated when I first built the Council for my own use.โ
Under data protection law, the identifiable person whose personal data is being processed; the holder of the rights the law protects.
โYou have to be able to tell the data subject what you keep and for how long.โ
An example so clear and characteristic that it can be used to define the category it belongs to; the example you point at when you want to explain the rule.
โThe cron from this post is one of the canonical examples of what the Council produces.โ
Grammar Notes
A grammatically incomplete sentence used deliberately as a complete thought, typically at the climax of a paragraph. The fragment compresses the preceding setup into a single beat. Nigel's voice uses fragments as a rhythm device: short, declarative, often a single noun phrase or a verbless statement, dropped after a longer setup sentence to land the point. Functional British English usage; not an error.
Two short, grammatically identical sentences with opposite content, placed at the end of a paragraph or section. The structure compresses a binary decision into a memorable pair. The reader supplies the logical connection between the two halves. A Nigel-voice closing device, paired with the calibration anchor's two-step aphorism style ('Disagreement is the signal. Convergence is the noise.').
A relative clause reduced by deleting 'which is' and leaving the past participle to modify the noun directly. The construction is dense and formal, typical of legal and architectural writing. 'A legal obligation owed by the parent entity' is the reduced form of 'a legal obligation that is owed by the parent entity'. The reduction tightens the sentence without losing precision.
A short imperative sentence with an embedded reflexive clause functioning as a personal motto. The reflexive yourself is doing the load-bearing work: it asserts not just that the seller has used the product but that they continue to do so on their own decisions. As a positioning principle for consulting and productised expertise, it compresses an ethical commitment into one sentence. The same construction is used in the calibration anchor post, marking it as a recurring Nigel-voice device.
Comprehension Questions
- 1.Which two articles of the Swiss Federal Act on Data Protection does the post identify as the basis for the audio-retention obligation, and what does each one require?
- 2.Why does the post argue that the raw audio must be deleted while the transcript can be kept indefinitely? Refer to what is in each one and what it is used for.
- 3.The post describes two rejected alternatives (inline deletion at session end, and a storage-vendor lifecycle rule). Why does the author consider both of these inferior to a nightly server agent in the data-protection cluster, even though each had an apparent advantage?
- 4.What does the post mean by saying 'The Council surfaces the absence, not the breach', and why is that distinction important when assessing the value of an AI advisory council?
- 5.Apply this thinking to your own organisation. What is one category of risk where there is no metric in any dashboard, no incident report, and nobody on the team is currently paid to track it? What would the structural fix look like, and which obligation does it discharge that no human will reliably remember to discharge themselves?
Run your own diagnostic
Use the same Strategic Council I run my own decisions through. The assessment preview is free. The specific central human intelligence it is based on is verified in person during the call.
Start the free diagnostic โ