IT Pro Panel: GDPR compliance requires a fundamental rethink of the data you collect

Businesses should view GDPR as an opportunity to make sense of their data and a chance to put customers at the heart of their processes, according to the IT Pro Panel, a group of high-profile and experienced IT leaders representing a wide variety of industries.

With the EU's General Data Protection Regulation (GDPR) just two months away, organisations are rushing to comply with the legislation, which promises to hand EU residents more control over what companies can do with their data, and higher fines to firms that misuse that information.

While the looming 25 May deadline for compliance is a cause for alarm among companies yet to prepare for the more rigorous data protection measures, IT leaders have urged organisations to view it as a chance to increase customer trust, and to rethink and refine their approach to data collection.

"GDPR is great and a fantastic piece of legislation because it actually makes companies operate the way I think they should operate," says Mark Holt, CTO of e-ticket booking platform, Trainline.

"What GDPR is introducing is great for consumers everywhere. I've seen businesses where they spray customer data all over the organisation and that's just terrifying."

The UK's data protection watchdog, the Information Commissioner's Office (ICO), has issued plenty of fines to such organisations, from nuisance marketing outfits to firms responsible for careless data breaches.

But the regulator sees financial penalties as a last resort, and has urged companies to view GDPR as an incentive to improve their data practices. It's a perspective that IT Pro Panel members share, and we spoke with three of our IT leaders to help you understand the key challenges to overcome, and how to position your business to reap the benefits of compliance.

GDPR compliance challenges

The fact that GDPR holds benefits for organisations doesn't mean the road to readiness isn't a rocky one. In fact, depending on the structure and complexity of your business, it could be pretty expensive too - a recent survey of 1,000 UK businesses (conducted by Coleman Parkes) found the average firm will spend 1.3 million achieving compliance.

But while the legislation states that up-to-date technology plays its part in compliance, your real focus should be on creating clear governance, driving awareness and updating policies, not buying new software and hardware.

Know what data you hold

Most organisations will typically have accumulated various generations of servers, storage and hardware down the years, some integrated with other infrastructure and essential to everyday operations, and others underused silos of aged data.

Auditing what data you have and where it lives, then, is an essential first step to complying with GDPR - how are you meant to protect user data if you don't know what you have in the first place?

"Knowing what data you have, where it is, how it moves around your organisation... you have to do that - it's really important," points out Trainline CTO Holt.

"We know what data we have, we know where it sits, we know which servers it sits on, where it moves around inside the organisation and we can keep track of it."

Technology plays a part in tracking that data, but "it's also very much about process and about asking who are our third parties [and] how do they manage customer data," Holt adds.

Understand why you collect that data

Once you know what data you have, the next step is to ask yourself why you have it.

Research by Vanson Bourne suggests that companies are planning to up their IT security budgets, with 45% of 750 IT decision makers admitting they find it difficult to secure customers' details.

But to simply encrypt all your data - whether you know what it is or not - would be to misunderstand the point of GDPR, explains Peter O'Rourke, director of IT at the University of Suffolk.

"Yes, you can encrypt all the data in a system, but if you don't know why you've got the data, you're not compliant," he states.

Understanding why you hold the data you do is key to complying with GDPR. You're required to establish a legal basis for the collection of customer data, which in turn places limits on how you can use it thereafter.

"A delivery company needs your address so they can deliver stuff to you, but beyond that it is difficult to see how they could share or use your address without additional consent," explains O'Rourke.

That legal basis can vary - from being necessary to fulfill a contract with the customer or if processing that data is in the public interest, through to obtaining the explicit consent of the customer to use their data for a stated purpose.

For a while, consent was given unwarranted weight in business conversations around GDPR compliance, says Julian Bond, head of ICT at retailer Hillarys Blinds, which is problematic since a customer can withdraw that consent fairly easily at any time.

"It was easy to be mesmerised by this [aspect]," he says. "Whereas the truth is that you have to think through what kind of business you are, where you're getting personal data from, what you're using it for, and then working out what of that you can still collect - and how.

"Making sure that we're clear on the basis of our processing (whether contractual, consent or legitimate interest) is essential so that we can be open and transparent with our customers."

Drive cultural awareness of GDPR across the business

Once you know where all your data is, and you've encrypted all the personally identifiable information (PII) you have, you could still fall foul of GDPR at, quite literally, the click of a button.

"You can encrypt your data all you like but if an employee emails it to somebody it's still out there," O'Rourke says.

This makes culture, not technology, the most important factor in adhering to GDPR after you achieve compliance - something that will require employee retraining.

Raising awareness of the new data protection measures can be done in several ways. From a technology standpoint, Trainline's Holt explains that all developers go through secure code training once a year.

For other teams, everything from in-person training sessions to compulsory questionnaires geared towards asking staff practical questions about how they would treat data in everyday circumstances could drive awareness.

The key, says O'Rourke, is explaining why it's so important.

"Just telling people to robotically follow a series of rules or processes but not explaining why is the wrong thing to do because you need them to understand: 'we are doing this because these are the consequences and we need everybody to help us be vigilant.'"

IT won't necessarily lead your GDPR strategy

While technology is relevant to GDPR, it isn't the biggest factor, and your IT team might not be best-placed to lead your compliance efforts. At Hillarys Blinds, for instance, the finance director is in charge.

"Achieving GDPR compliance isn't going to happen just because IT tells the business that they need to comply - at best that would just induce some lip service," says Bond. "We've got a business-wide programme with stakeholders in eight different streams looking at GDPR across the business. IT's role is as advisors and facilitators, rather than being the primary driver of the business imperative."

Instead, IT is good at identifying where personal data exists and securing it, Bond explains, but giving each area of the business their own GDPR responsibilities to achieve has proven to be a much more successful approach than leaving it all to IT.

Tell customers what data you hold on them

For businesses that move beyond the mindset of simply achieving compliance, GDPR holds many benefits.

Under GDPR, people can ask organisations to share the data they hold on them, and demand that data is deleted, amended or transferred to a preferred organisation. But the most proactive companies won't leave it to customers to actively enquire; they will tell the customer first.

"If you positively engage with people about the data you've got and you're keeping them informed, do you think you'll have a better relationship with them?" asks O'Rourke.

If you can be very transparent about what data you've got and what you intend to do with it, and communicate that to the data subject, actually it gives you a competitive edge for a little while - I think ultimately people will become distrustful of organisations who blindly use their data without saying what they're doing with it."

Re-think what data you collect in the first place

One consequence of questioning why you collect certain data offers another, somewhat hidden, benefit of GDPR: streamlining your business processes.

"Many processes have become complex and clunky over time, and it can be too easy to make things even worse by merely adding some GDPR controls," says Bond. "Whilst it can be time-consuming, stepping back and re-looking at what the process is trying to do can be a more effective way of implementing the idea of 'privacy by design' that GDPR supports."

Doing this rather than simply rushing to implement controls over, say, who can access what data, potentially has some significant knock-on benefits for your business. First of all, it provides the chance to look at what you're getting out of your data, and eliminating costly collection where there's little RoI on the process.

"Do you think that mailshot you've agreed to do that is going out is more or less likely to be read?" asks O'Rourke. "If 80% of that newsletter list is useless, just think about the cost per acquisition. If you can get that down is that of business value to you?"

Secondly, if you're using less data, you can cut down your storage requirements - another saving. There's also the fact that you're minimising your risk profile: hackers have less data to steal in a hack, perhaps making you a less attractive target, or at least a less high-profile victim in the event of a breach.

"Any organisation is going to have some key processes where it makes sense to change the process, not just to put a wrapper of controls around it," Bond emphasises.

Preparing your business for GDPR is an incredibly difficult process that requires far more than just the IT department's input to be successful. You should educate the entire organisation about the data protection rules and, while someone should be in charge of the process, each area of the business should be clear on what they need to do.

It's a long and bumpy road, but achieving a 'privacy by design' approach to everything you do yields valuable prizes: customer trust will increase, and you'll also be able to evaluate what types of data actually bring value to your organisation, and focus in on those to increase success in the future.

If you're a senior IT decision-maker and you'd like to apply to be part of the IT Pro Panel, please email panel@itpro.co.uk.