Insights/Case studies/Newsroom/CareersCareersCareersPartnersConsultantsTechnology innovationCorporateEarly careersSearch Jobs/About us/Contact us Global locations

  • Phone
  • Contact us
  • Locations
  • Search
  • Menu


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Email this article
Close this video


Just a 'tick in a box' – or an opportunity to create value?

Contact us now

The EU General Data Protection Regulation (GDPR) is a game-changer. The penalties for a breach have the potential to move from hundreds of thousands to millions of pounds, dollars or euros. Requirements around unambiguous consent and the right to erasure mean organisations fundamentally need to re-think how they manage and retain data. Compliance with GDPR requirements is mandatory for all organisations that handle personal data of EU citizens.

Organisations have a choice. They can treat it simply as another compliance issue – or they can take a more business- and customer-centric approach that will allow them to explore how they can manage personal data to help make more informed decisions and create a better experience for their customers and other stakeholders. 

Successful GDPR implementation demands that organisations have a complete understanding of the personal data flow aligned with the overarching business processes and underlying systems. If this is closely coupled with their data governance programme, organisations can generate valuable insights – for example, into customer behaviour and how to improve customer experience. 


The GDPR brings in major changes from the current Data Protection Act, including a fundamental change to the way organisations manage personal data. Essentially, the GDPR means that organisations  will need to take a more proactive approach towards management of personal data and subsequent monitoring, and reporting. Figure 1 shows our view of the key changes arising from the EU GDPR.

In addition, we have identified the top three priority areas for any organisation. Each of these areas will change the way organisations ensure protection of personal data: 

  • the right to erasure and data portability will require organisations to have a complete understanding of the information flow ecosystem
  • privacy within systems and organisational culture by will need to happen by design, rather than as an after-thought
  • liability extension to third-party data processors will enable organisations to have clearly defined accountabilities and agreements.   

Impact of Brexit

With the UK preparing to leave the EU, some organisations are choosing to take a ‘watch and wait’ approach to the GDPR. However, the GDPR applies to any organisation that trades in the EU or with EU citizens, or handles EU citizen data. Furthermore, we believe that the Information Commissioner’s Office will be keen to ensure consistency with the EU in order to encourage and facilitate cross-border trade and operations post-Brexit. In short, companies should proceed with their GDPR planning – either because they process EU citizen data or because the UK is likely to implement laws that are essentially identical to the GDPR.  

Getting started

However you decide to approach the GDPR, it is important to act now in order to ensure compliance and to make the most of the opportunities on offer. This includes:

  • conducting a detailed gap assessment against GDPR requirements
  • defining and shaping an appropriate remediation programme as per the findings of the gap assessment
  • identifying opportunities within your organisation to use data to improve decision-making and customer experience. 

There are a number of practical steps an organisation can take to start their GDPR planning and preparation – from reviewing their current consent model to locating where personal data is current held, and from conducting internal awareness and training to reviewing all third-party contracts. 

Our experience

We combine proven experience and technical expertise in assessing and delivering information management, data protection and GDPR programmes across industries. Our experts can help identify the impact of GDPR on your organisation and shape, mobilise and deliver transformation programmes to achieve compliance, embed privacy within the organisation and generate business benefits. Some of our recent work includes: 

  • helping a UK-based retail bank to conduct a detailed assessment of their existing data protection capabilities against the UK Data Protection Act and the GDPR and identify key areas of improvement and remediation
  • carrying out an assurance review of a central bank’s existing GDPR implementation programme to identify potential gaps against the regulation and helped them re-prioritise their activities to ensure compliance
  • conducting a detailed data security gap assessment against the requirements of international standards for a large UK retailer. We identified the main risks, provided pragmatic remediation advice, prioritised risk and delivered a large data protection improvement programme.

More broadly, together with 7Safe, our technical security team, we have extensive experience in helping organisations to build digital trust and improve their cyber security.

Contact us

To find out more or to speak to one of our information security and GDPR experts, please contact us.

Elliot Rose

Elliot Rose
PA digital trust and cyber security expert

Email | LinkedIn

Sharad Patel

Sharad Patel

PA digital trust and cyber security expert 

Email | LinkedIn


» Indicates required fields

Your details

By submitting this form you are agreeing to be bound by our legal terms and conditions and our privacy policy.

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.