GDPR is not an IT project, warns expert panel

Erik Vynckier, board member of Firesters Friendly Society and Paul Edmunds, head of technology at the National Crime Agency explains how they're preparing for the upcoming GDPR

Compliance with the upcoming General Data Protection Regulation (GDPR) is not a project for IT to run, but a board-level issue for the business to own.

That's the opinion of a panel of experts speaking at Computing's recent Enterprise Security and Risk Management Summit.

"GDPR means multiple things to us," said Erik Vynckier, board member at financial services firm Firesters Friendly Society. "We sell financial services, so we need to be responsible in the way we deal with data. It's not just about making sure data is safe, but being responsible users of data ourselves.

"Active consent is needed now, not just pasive consent. 60 per cent of our sales come through our website, but customers need to click that they are happy [before they can purchase anything]. The same applies to our written marketing material."

Vynckier added that strong governance is needed to ensure compliance.

"For all processes, on an ongoing basis, we require that those in charge of those processes check what they're doing, document it, and prove that it's allowed. And it's not an IT project, it involves the risk and compliance committee, and the legal and compliance department which reports in to the board, is in charge. IT is involved in the implementaiton, but it's not an IT project."

Paul Edmunds, head of technology at the National Crime Agency explained that the GDPR will change the way organisations think about and govern data.

"We're doing a lot around GDPR," said Edmunds. "It's quite a seminal moment in the way data is accessed. This hasn't really been acknowledged by a lot of business, but GDPR will lead to significant changes in the way data is governed.

"As an agency we're treating it seriously. We have a large corporate programme around it that not only covers education, the auditing of data we have and new governance processes, but also encompasses IT and changes to our systems. This is so we can log everything, the correct data can be captured, and correct metadata put in place so everything can be managed in the proper fashion."

Edmunds explained that changes have happened at an organisational level too.

"We've set up data boards, and also put champions in the business who can take ownership of data. It's a layered approach to handling GDPR. It's not only about IT, it's not even not primarily about IT, it's how we fulfill obligations going forward."

He added that GDPR education has extended to the board.

"Every board member has had GDPR training. Some have GDPR responsibilities and there's also the new post of data officers. High level buy-in is absolutely essential," he argued.

The GDPR will come into force in May 2018, and will apply in the UK irrespective of the UK's membership status within the EU.

Computing has compiled a list of resources to help organisations and IT professionals prepare.