Ascential CIO Sean Harley and data privacy lawyer Annabel Gillham joined CIO UK Editor Edward Qualtrough to discuss the EU's General Data Protection Regulation, including compliance, GDPR benchmarking, fines, and best practice during the second episode of the CIO UK podcast.
CIO 100 member Harley and Of Counsel lawyer at Morrison & Foerster, Gillham discussed how organisations have approached the EU's General Data Protection Regulation, the setting up of executive teams to lead on compliance, benchmarking against other organisations, the GDPR barrage from the vendor community, and why data privacy and processes are everybody's business.
Launched in January 2018, the CIO UK podcast is a monthly discussion featuring CIOs, commentators and technology executives thrashing out the key issues relevant to the UK's business and technology leaders - as well as the tangential and irreverent musings of guest CIOs.
Gillham and Harley heard that two-thirds of organisations are confident they will be fully GDPR compliant come May 2018, although a worrying 8% are more concerned than confident or 'not at all confident' of complying with the regulations, according to the ongoing 2018 CIO 100 submissions. The duo agreed that while CIOs and technology needed to be represented in the leadership teams tackling GDPR, it is in fact the business of a whole organisation to ensure good data practice.
"It isn't just about legal and tech. It's about finance, HR, M&A - it's a change of how you do things," Harley said.
"Awareness has been one of the biggest things we've worked on - so everybody understands what GDPR is whether you're a help desk person or marketing person and what it means to you."
A destination, not a journey
Gillham added that business leads and product owners should probably be involved, and that GDPR needed to be treated as an ongoing process rather than a deadline to hit once in May 2018 and subsequently forgotten about.
"It's only from the business leads you can truly understand what the data flows are in an organisation and that has to be the starting point to understand what data you are processing and how high risk it is," Gillham said.
"It's here to change mindsets. This is an ongoing, evolving process."
Harley agreed, noting that GDPR was fundamentally about a change of culture.
"It's not a destination, it's a journey," Harley said. "GDPR is a way of life - it's become ingrained in our processes like a yearly audit. If it doesn't become ingrained in your culture you're going to have some problems - and it's not just about technology."