Jason Header

Despite GDPR coming in last year in May, many businesses have failed to become fully compliant with the new regulations. We sat down with Jason King, GDPR Programme Manager on some of the pressing matters that came alongside the new laws.



I think a key is how did you approach GDPR in the outset in terms of awareness and raising awareness. If people felt or if the board felt that the 25th of May was the end and then you’ve got a bit of an uphill struggle which is trying to actually claw back some ground. The 25th of May was the start and again, most organisations were actually able to share that with the board and say look, we are getting us to a position where we have to achieve a certain level of compliance and then demonstrate against it. So key things to actually to do is try to keep privacy, so maybe GDPR is sort of overdone now. So privacy by design is something which is the way you actually start thinking about data, thinking about how different processes, different IT and the like. There are also things such as the budgets you’ve already set up as part of your DPOs, they should be actively being worked and again they shouldn’t be dependent on having them getting sourced every year. There are things such as the need to build reports against breaches, breaches are far more visible now and we need to be a lot more transparent. A board and particularly the senior management need to still be aware of how many breaches, what are they like are they notifiable? Compliance isn’t a given, legislation moves on. Legislation such as E-privacy which probably was overlooked a little bit because it wasn’t fully landed but that needs to be woven back into GDPR and how does it affect our cookies, how does it affect our starts online and how we are consenting against both those items. If you think the job is done and if that’s been communicated to the board then, unfortunately, you’re going to have to go back and say we’ve got some more work here, this is the beginning of a journey, it’s not the end of the journey and there’s a lot more work to be done.



So demonstrating compliance is a requirement now to GDPR, beforehand people wrote policies and said, “Yes we’ve got them” and it’s the only when you had an event where people were starting to be tested. There are many factors now within the GDPR which say, you need to be able to actually show that you do this, you can’t rely on the fact that you have a policy, a policy has to be written, you’ve got to train against and you’ve got to check that people are actually following that policy just as one example. A key thing which I think would work is, within the data protection network within your organisation, data privacy office, is to have set targets for evidence. Such as do you have a mandate, has the mandate been provided to the data protection officer. Do you have a process in place for subject rights, breach management and many things such as that. There are a number different frameworks out there, Nymity do a large one which is a great approach. Now I would balance between your organisation, the size of organisation, your needs and what you actually do or what you do with personal data. The trick is a regular cadence, getting evidence in place, making sure you’re updated and recognising that things will go out of date and not refreshing everything but refreshing the stuff that is likely to be renewed.



So compliance of differentiators is a great, great concept but I think that you find that everyone has raised the bar, GDPR has meant that most organisations or all of them, should have achieved a higher bar. So it’s great that organisations feel very proud of what they’ve achieved, but they had to be very careful that what we’ve achieved the bar is now the norm again. So if you are going to differentiate through privacy, the things you should you need to focus on is very strong governance, the board being involved, the board being still very engaged with privacy, wanting that differentiator. Transparency is another big area if you’re uncomfortable sharing what you do use personal data for then maybe you shouldn’t necessarily consider yourself as a differentiator in that area. Compliance is almost a given, if you don’t feel you’re compliant then again, areas you need to look at are the touch points. You’ve got privacy notices, you’ve got breach, you’ve got subject rights, contracts, all of these areas need to be really closely looked at to see if you are actually a differentiator in this area. The one thing which should be very clear to individuals within this new environment is if you’re not achieving the minimum which people expect and again if you put yourself out there as being a differentiator in being sort of the leader in privacy, then you have to pretty much make sure you are. Otherwise, there will be plenty of data protection authorities who are going to come looking at your people.



The key is that data and personal data will continue to grow in its use. There’s so much value from using personal data from knowing what customers like, what patterns are, what trends are with that data that it’s always going to be used more. GDPR has raised the bar in terms of compliance, particularly around things such as secondary use and visibility around privacy notice, transparency and how you use personal data. You can’t be reactive anymore you have to actually be proactive and privacy by design is now a way to doing that. People within those systems can then start looking at being innovative within a certain ring-fenced area. The other things you need to start thinking about so that you can keep ahead of compliance and keep ahead of the fact that there’s so much value in using personal data to actually promote your product and make sure you’re giving customers what they want.


Watch the full interview below: