The GDPR: an information governance opportunity

It’s amazing how four little letters can cause such panic. But there is a lot of panic, and misinformation, about GDPR, and that is only likely to increase as we get closer to 25 May 2018.

It’s true that it will bring more obligations for companies and strengthen rights for individuals. But for all organisations, large and small, GDPR presents an opportunity for better information governance.

The change in approach it requires means companies need to look holistically at how they do privacy, to embed it into their systems, processes and culture and to make it ‘business as usual’. This approach involves policy, process, technology and culture.

>See also: General Data Protection Regulation: the BC/DR impact

Good information governance is more than a compliance tick-box exercise, it reduces risk, focuses and prioritises company efforts and demonstrates to shareholders, customers and consumers that the company takes privacy and security seriously. It increases trust and enhances the brand, especially in an age of one breach after another in the news.

Companies on the front foot with GDPR planning send the message that they understand the importance of good information governance, and how it benefits their business as well as their customers.

You may find that any streamlining you do, such as to consolidate marketing databases, could save you money; and you may even be able to develop new product lines once you understand what information you have. Becoming more user-centric also tends to lead to better products and greater trust.

What you have to do and how much work is involved will depend on the nature of your business, the extent of personal information you have, and what you already have in place. You should already be compliant with current data protection law, and a lot of the panic may be because some companies are realising that they are not, and so they have even more to accomplish by May 2018.

>See also: Why GDPR is an opportunity for digital transformation in the NHS

To avoid becoming overwhelmed, have a project plan. Work out what your priorities are and what the different workstreams need to be. Focus on areas of high risk first. It is unlikely that any company will be 100% compliant by 25 May 2018, but if you have a project plan, have tackled the high-risk areas, and have a clear roadmap for what is left to do, then you can demonstrate that you are serious about getting it right and you have a clear way to get there. And remember that there is no such thing as 100% compliant and nothing left to do! Making privacy business as usual means it’s an integral part of your operations and an ongoing activity.

In my view one of your priority activities should be data mapping: understanding and documenting what information you have, what you’re doing with it, where it is, who has access, how long you’re keeping it for and so on. It is also a foundation for so many other aspects of GDPR.

For example, it helps you see what information is in scope for some of the rights. Use and build on what you already have (like systems or asset inventories), and use GDPR requirements to improve how you do things.

>See also: A 6-step action plan for complying with GDPR

Ultimately, you can use good information governance as a competitive advantage, as part of your values as a company. What does privacy mean for your company? Are you looking for bare minimum compliance, are you looking to be a leader in your sector, or are you trying to make it your USP?

GDPR is a real opportunity to take a step back, look at how you approach privacy and information governance, consider if it’s the right approach, and do it better. GDPR can be a hard sell, as on first look it seems to just be a longer list of more onerous things you have to do to avoid a fine.

However, an enlightened company will see instead the chance to embed privacy at the core of its operations, use it as a competitive advantage and increase trust in its brand. It’s time to move away from seeing privacy as a compliance cost centre, and to seeing it as the way to make sure everyone wins.


Sourced by Emma Butler, data protection officer at Yoti


The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Protection