Advisory Board Report - December 2017

With less than half a year until GDPR is a must, it’s essential organisations assess their data protection policies and ensure they’re taking relevant action to meet new legal requirements that will be law on 25 May 2018.

The ICO has indicated that fines will be severe for GDPR non-compliance. 4% of global annual turnover or €20 million, whichever is higher. In 2018 Data Protection needs to be prioritised.

Over the next six months the GDPR Advisory Board will be providing ‘simple, non-jargon’ reports to help organisations through the process of becoming compliant. Simple steps to take to edge towards GDPR conformity. In the meantime, the ICO has produced a 12 step guide which is useful for those trying to understand GDPR and what it means.


This month, our GDPR Advisory Board members reflect on the GDPR and its importance from their perspective. The GDPR Advisory Board consists of members who are actively immersed in GDPR on a day-to-day basis. As industry authorities in their own right their thoughts and comments provide an insight into the beliefs of those closest to this hot topic.


Professor David Stupples, GDPR Academic

“The application of the legislation for GDPR is almost upon us and there seems already to be an element of complacency surrounding the topic with most company boards moving it to the back burner.

Events this year have demonstrated that the legislation is long overdue and it must be taken seriously in order to prevent confidential and private data getting into the wrong hands.

Furthermore, the penalties for non-compliance are seriously high and therefore senior management should now start to focus.”


Nick Richards, GDPR training expert

“Quite simply Data Protection legislation required updating to bring it into the 21st century - the current law was never developed to handle the issues that the modern world now has to deal with. Something was required to better protect individuals’ data - the GDPR strives to achieve this.

The effect of GDPR at the moment appears to be a landscape of confusion and opportunity in equal measures! As regards its impact in the long term, I think time will tell – poorly handled data breaches that lead to heavy and unwanted publicity may be required to push organisations into compliance.

Ultimately, however much hard work is involved in achieving GDPR, I believe the impact will be incredibly positive for the individual. We shall see.”


Piers Clayden, GDPR legal expert

“The GDPR represents the biggest change in data protection law in the last 20 years. The consequences for non-compliance are severe – whilst the potential level of fines has been widely reported, I believe that for most organisations in the UK, the bigger risk from non-compliance is going to come from damage to reputation and the increased ability for individuals to launch damages claims.

For those organisations that currently conduct themselves in accordance with good privacy practice and with a strong information governance culture, the impact of GDPR is likely to be relatively light.

However, for organisations that have only ever paid lip service to their data protection obligations, they are likely to find that compliance will require a big investment in terms of time, money and resource.”


Alfred Rolington, GDPR academic

"GDPR applies to all organisations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organisations in the US that handle data from EU residents have to engage and take security checks and they will be affected as much as EU business.

Businesses will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and documentary evidence of their compliance to these rules.

However, GDPR doesn’t provide specific technical direction, which leaves room for security issues that the business must be responsible for.

This means that organisations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements and often they will need independent alive to assist the Businesses Directors and certainly their IT management and staff."


What basic steps should I be taking now?

Establish who in your organisation is going to take charge and ‘ownership’ of GDPR - if you employ over 250 people you’ll need to employ a Data Protection Officer (DPO). If you’re a small business it might be you.

Audit your data – understand what you use, what you store and how you manage it. This is at the heart of GDPR.

Get planning – by understanding what you need to achieve you can start to plan effectively. As you make your plans keep in mind the following elements that will help ensure you’re in the  GDPR ‘spirit’ and making sincere efforts to meet compliance –

1. Documentation: being compliant is only the start. You need to be able to prove it. Make sure you can document your data lifecycle (and make sure it’s not a massively time-consuming job to do so!)

2. Impact assessments: GDPR also requires you to mitigate the effect of data breaches by understanding what their effect (both on customers and your business) might be, with Data Privacy Impact Assessments (DPIAs). It’s a useful form of preparedness, so demonstrate some commitment to understanding impacts before a crisis actually happens.

3. First response: Data breaches are going to happen, and the regulators know it. What matters is how well you respond - the GDPR demands that breaches are reported within 72 hours so get your crisis plan in place and have a practice if you need to.

For further information or questions please email and a member of the board will respond as soon as possible. For GDPR training solutions please visit For legal assistance please visit



Sam Roberts