GDPR: time to think about best practice?

It’s easy to see GDPR as a bombshell about to explode onto the business world in a few months’ time, disrupting order and success. Just as many companies are beginning to enjoy the benefits of holding their data in the cloud, along comes a reason to act defensively and take it back into their internal systems.

Except when it comes to data and the cloud, many believe the genie is out of the bottle and it’s too late to return to old, more insular ways. Instead, something far more positive is happening. There’s a new willingness to work together with partners and specialist cloud providers.

Consequently, many businesses are turning the challenge on its head. Instead of seeing GDPR as a threat, they see it as a welcome chance to tackle the previously ill-defined issue of data protection head on and in doing so develop a form of best practice.

Strangely enough, it seems that one of the perceived weaknesses of GDPR has actually become its strength. The regulations are detailed over no less than 300 pages. Many believe they are too vague and open to interpretation. However, as a result of this, businesses, partners and suppliers are having to talk to one another. Instead of just taking the prescription they are having to think about their actions, drill down to what the document really means and then make it relevant to their business and to their industry as a whole.

Many of our customers, for example, are still at this ‘gap analysis’ phase, trying to judge the distance between what they have in place at present and what they need for compliance. Because of the demand for transparency and accountability, they have little choice but to discuss what they are doing and where they are going with partners – such as cloud services providers – and suppliers involved in protecting their data.

In our experience, because everyone in the chain needs to understand what every other part is doing and the part they have to play, this is leading to open and engaging conversations. In fact, I can’t remember another security and data protection initiative that has been the focus of so many discussions including those with customers and prospects, allowing all sides to learn through the process and then share what they have learnt with others.

Also, because GDPR involves the entire business, there are similar discussions going on internally, particularly between HR, IT, security and legal departments, who are all in the frontline. C-level involvement is a must and HR involvement is also vital; they are already experienced custodians of private and confidential data and need to be part of the process, if only to represent the employee interest.

Compliance will involve some strong technical controls, but also an adaptation of processes and procedures, all involving different departments and re-training. There are hundreds – maybe thousands – of articles written about GDPR that are available online. However, there are very few best practice guidelines. This is obviously something organisations need to do themselves as they will vary according to a company’s size and industry.

All departments must work together to ensure that there are not several, hidden stores of information held about an individual across the organisation. Collaboration is also needed on particularly knotty areas such as the ‘right to be forgotten’. While this right is obviously important, it doesn’t override other legal obligations, for example, the need to maintain accurate payment records.

If an employee asks that all their records are removed, there is still the obligation to retain some as appropriate. Yet, there appear to be no hard or fast rules, so discussions, conclusions and the establishment of guidelines or best practice is the only way forward.

Some companies see data protection leadership as an extension of an existing employee’s role; others choose to employ a data protection officer, despite the skills shortage. These will have valuable experience of past and existing data protection acts – and in particular adapting them to their own environment.

Whatever the decision, this timely spotlight on the subject should drive the establishment of new, long overdue guidelines. Yet these should not necessarily be subjective, but developed objectively, working with partners that understand the need to be transparent. Only this way will the defined guidelines suit all involved and therefore be both sustainable and successful.

Although it’s important not to focus on the fines for non-compliance, it’s vital that all staff know how serious they could be. Only this way will they begin to understand why the utmost care and vigilance is needed and recognise why the changes in procedure are necessary.

But it’s also imperative to consider how to make GDPR into a positive experience for your organisation. In particular, the relationships a business builds with other businesses and their partners can only be strengthened through this exercise. The result should be a safer and more transparent ecosystem – and based on this, an organisation should feel more confident about the future.

Working this way should help everyone step up to the mark. After all, businesses will need to be on top of their game to survive and thrive in the post-GDPR age. The last thing a business will want is a hefty fine, just because their processes aren’t clear. Adhering to best practice will be their best defence.


By Charlie Knox, Head of Technology, SD Worx

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at