Challenge: Bring the General Data Protection Regulation to Life


Posted on: Sep 03, 2015 by Mark Roberts

Promising to change the way European businesses secure their data, the General Data Protection Regulation(GDPR) will represent an important step in placing the power back in the hands of consumers. Providing a harmonized Data Protection framework across Europe, it will make it easier for organisations to understand and meet their obligations in respect of storing, managing and using personal information. GDPR aims to reflect a consumers’ right to privacy, to better mirror globalisation and the latest technology trends and impose sanctions where necessary to achieve compliance.

And with organisations now facing a seemingly never-ending threat of cyber-attacks – the Carphone Warehouse being the most recent victim, losing some 2.4m customer records – putting in place measures to ensure the safety of customer data has never been more crucial.

But will it work?

The honest answer of course is that only time will tell. At the moment the GDPR is expected to be passed by the end of 2015 but dates for achieving this have come and gone in the past. And even if it were to pass this year there is still an intended two-year transition period for organisations to come into line with the new regulations, allowing organisations time to put in place the tools, techniques and process needed to comply.

The draft regulation is expected to contain a number of rights that from the outset will cause serious headaches for CIOs. Organisations can expect issues in fulfilling many of the GDPR’s requirements – namely the right to be forgotten and the right of consumers to see what data a business holds on them.

The former, based on the landmark ruling in which a Spanish citizen successfully challenged Google to remove details of his previous home-repossession on the grounds that they have been fully resolved for a number of years (and were therefore no longer relevant), the right to be forgotten has significant implications for businesses.

As an organisation, ask yourself: do you know the full extent of the data you hold on a particular individual? Can you be confident you know exactly where that data is? Can you be certain you can erase it all and, moreover, provide proof that it has all been erased?

The principle of Privacy by Design will also raise some eyebrows. Will organisations be able to demonstrate that GDPR’s principles have been the default position in every new systems project? How well are you monitoring your organisation’s data? How soon after a breach will you be aware of it and how would you go about informing the regulator in a way that was consistent with your management of the incident itself?

One of the biggest unknowns is what the emergence of GDPR will mean for consumer understanding of data privacy. Can we expect high-profile cases awaken consumers up to the privacy debate, encouraging them to ask more questions about the safeguarding of their data? The extent to which this will happen is up for debate, but it’s likely to generate interest in the subject and result in some potentially awkward questions for some organisations.

But what does this added citizen control mean for the value of data? Will consumer’s bargaining power start to rise and will we see an increase in ethical data use? Find out in my next post…

Share this blog article


About Mark Roberts

Associate Partner at Atos Consulting and Head of our Information Governance Risk and Compliance Practice
Mark is an Associate Partner at Atos Consulting and Head of our Information Governance Risk and Compliance Practice in the UK. Mark has over 20 years’ experience in business. He is an experienced consultant having worked for a wide range of clients for both PwC Consulting and IBM Business Consulting Services. He also has a strong technical and security background having worked for the UK Ministry of Defence and more recently for QinetiQ, a Defence and Security Technology Services company. Mark joined Atos Consulting in 2013 where he led and grew the UK’s Information Security consulting practice from 25 to 50 consultants in the space of 18 months. He was then responsible for developing our global security consulting capability and more recently was instrumental in setting up a new consulting capability in the focused on Digital Transformation. Mark has recently rejoined the UK Practice to lead a newly formed Practice of about 60 consultants focused on all aspects of Information Governance, Risk and Compliance including Organisational Risk, Operational Resilience, Business Continuity, Information Security and Information Management. The Practice’s objective is helping its clients stay safe and compliant in the ultra-connected Digital Age and enabling Digital Transformation programmes by understanding and managing potential new information related risks and issues (e.g. new security risks, privacy and data protection legislation, risk and resilience).


Follow or contact Mark