11 September 2017 | By Andrew Rogoyski Community

GDPR: A framework to improve business

Technology is the acknowledged answer to many of today's business challenges. But handling data correctly must be at the root of it

UK industry faces some significant challenges in the coming months and years. Apart from the obvious challenges to the business environment caused by Brexit, including loss of confidence and the weak pound, there are some very significant underlying issues constraining growth from productivity and skills to investment.

The acknowledged answer to many of these challenges is technology. Key developments in automation, robotics and data analysis can reduce production costs, allow customisation and create agile businesses capable of adapting to changes in demand and supply.

At the core of these challenges and future successful businesses is data: data that describes your customers’ behaviours and needs; data that describes your production processes; and data that measures the productivity of your supply chain.

Such data is deeply sensitive – it is your competitive advantage. It is also very sensitive to your customers who will become deeply concerned if information they regard as privileged or personal becomes public knowledge or is used by criminals to perpetrate fraud or similar, in their name.

Protecting such data is the purpose of the new European law, the General Data Protection Regulation (GDPR). This new law, which comes into full force on 25 May 2018, harmonises data protection across Europe, including the UK. It introduces strong requirements and guidance on how personal data should be protected – and penalties if you mishandle such data include fines of up to 4 per cent of a company’s global revenue.

An enlightened approach

For companies that store or process personal information, there is limited time to make sure that the right steps have been taken to protect this data. In broad terms, companies need to understand what data they hold, how and where it is stored and processed, whether you have the customer’s permission to do so and whether it is accurate.

There are more subtle requirements to add to that; companies will need to support users’ requests for their data to be deleted and their rights of data portability (so a customer can take their data from one company to another). Companies will have to demonstrate, with evidence, that they took appropriate measures to protect such data.

How should you approach GDPR? Think of it not as a compliance regime but as a risk framework. Compliance thinking encourages people to opt for the lowest common denominator, to only try and achieve the minimum that will satisfy the compliance regime.

By taking the wider approach recommended in GDPR, you’ll balance the threat posed by the attacker, the business environment you operate in, the risk that you’re prepared to take as an organisation, against the measures and investments you’re prepared to make to protect yourself.

Want to know more?  Visit

Join the discussion