The Wider Impact of Engaging with GDPR

Published on: 7th January 2019

The ICO's desire to change attitudes and culture around data protection has been at the heart of the UK's embrace of GDPR and the ICO's Chief Exec, Elizabeth Denham, has been quoted on numerous occasions confirming this desire for business transformation. We've started to see signs that the culture shift and impact is proving more radical and far-reaching than most people expected or appreciated.

Uncovering the Skeletons

All advice on how to implement GDPR points to starting out with an audit. It sounds simple enough: check what personal data you have, where and why you have it and who has access. Easy enough to say, but actually it is revealing lots of variation across different organisations. Some are neat and tidy, with just a small number of devices and stores of data that are just used by one or two people. The vast majority of us are far more complicated however, dealing with legacy systems, "bring your own device", mobile and remote access, cloud services, portable storage, and so on.  Plus most businesses have had staff turnover, partners and suppliers change, systems updated, services altered and regular updates to the systems and devices that hold their personal data. Few of these transitions are fully managed or have taken into account the impact on the data stored, or the data left behind in the transformation.

By carrying out the audit (and we recommend taking a warts and all approach to being honest about the complicated systems in an organisation) businesses are finding that they've more to deal with than they first thought. Even sole traders can find they've a half a dozen legacy or uncontrolled systems that have personal data on them that need to be checked and cleaned up.  USB drives seem to be a common contender for unsecured personal data. (A shocking report from 2016 suggested 78% of second hand drives bought from eBay and Craigslist contained previous users' data. Securely and completely deleting unwanted information from these devices will probably be a challenge that many small businesses will face.

Training Programmes and Education

In addition to the complexity shown up through auditing of devices, it's also been interesting to hear about the amount of education and learning that's been going on too. People are realising they need to know more about the right approach to data management and data security. In particular the training of staff in good practice and updating protocols for allowing access to data has emerged as a big theme in the last few weeks. Sometimes this is self-directed with individuals researching and educating themselves, and we're also seeing increasing corporate education and advice programmes springing up too.

Changing Work Responsibilities

The fact that the business owner is primarly in the frame for any investigation when there is no other nominated Data Protection Officer or designated person with data protection responsibility has meant that many employees are reporting that they're being handed "GDPR" as an additional responsibility by their boss, and are being expected to find out what's involved for themselves. This has led to many full GDPR training courses and webinars, as well as the download of free resources, and searches for guides and online forum advice. It's also seen the ICO inundated with requests for clarification and explanation which have resulted in further guidance notes on their website FAQs pages.

Competitive Business Advantage

On top of the devices and people, we are hearing a lot of people talking about the networks of relationships they have with other businesses, and what to do to make sure that they're GDPR compliant too. We knew that at a certain point GDPR compliance would be a commercial advantage for small businesses (as well as a necessity) and we've now seen this emerge already. Finding businesses to work with who are GDPR aware and compliant and who can help small business spot the gaps in their compliance is now becoming a service request in itself. Small businesses are recognising that the impact is wider than getting reconsent for their marketing list, and are seeking out partners and advisors who can take a more rounded view of their business as part of this GDPR compliance process.

It's going to be interesting to see how these themes mature over the coming months, and what impact there will be from businesses receiving their first Subject Access Request or dealing with their first "GDPR-era" data breach. We'll be watching with interest.


PYXI GDPR Team: 7th Jan 2019 10:16:00