How CIOs are preparing for GDPR

The GDPR implementation date of 25 May 2018 is looming. The sweeping update to existing data protection rules was approved by the EU Parliament to protect the personal information of its citizens, and the terms of the regulation will be mirrored by the UK after Brexit.

Ensuring GDPR compliance is a pressing priority for CIOs. For some, it means a major overhaul of existing practices, while others only need to tighten up policies and practices in their organisations.

Some of the country’s leading IT executives shared their thoughts with CIO UK on the steps they are taking to ensure GDPR compliance

Read next: EU GDPR – What, when, why and how? A CIO roadmap to getting ready for GDPR

“My data protection specialist is already trained up. I have a great IT cyber specialist who is fully up to speed with it and understands the concerns in that space as well. So the two of them are going through with a fine-tooth comb; all our data sources, all our applications – what does this mean for us?

“I think we’ve got the right kind of rigour, and I think we understand the process we need to get through. There are a lot of areas of working, and that’s just on the technology side. A lot of people forget that data protection isn’t just about what’s stored on the systems.

“Fortunately my team are smart enough to know this and are out there, looking at all the different processes that could potentially have personal information written down as well as stored.” Adam Gerrard, CIO at Yodel

“We have reduced and redesigned our policies and procedures to reflect the environment in which we now operate, including our data protection and record management policies, which have been updated to prepare us for compliance with the GDPR, including segregating the duties of the data controller and data protection officer.” Barry Ashcroft, Director of IT and Information Management at Quarriers

“The reality is probably that many organisations aren’t anywhere near where they should be. I think one of the big challenges with GDPR is there’s probably quite a big lack of clarity about actually what the regulations will really mean in day-to-day life.

“We’ve got complexity, we’ve got businesses in three European countries. And of course the benefit of GDPR is that all those businesses will then be conforming to one common set of standards. The reality of course is it won’t be like that because each regulator will interpret things slightly differently.

“To a certain extent we’re already dealing with some of the GDPR themes in Germany, because Germany’s just been ahead of the game on this one, particularly with things like marketing consent.

“There’s quite a lot of due diligence to be done in most businesses. So it’s definitely a focus for us, and there’s a little joint working group between the information security director, myself and a couple of key people from our legal team in Europe as well.” David Jones, Senior Vice President of IT for Europe  at Anschutz Entertainment Group (AEG)

“I’m already preparing our website and other comms channels to become explicitly opt-in, and to provide a marketing preference centre for guests so they can self-manage their comms and marketing preferences. It’s all good practice anyway, and will give us a single, best-practice, consistent policy across our geographical territories.” Fergus Boyd, Group Director and VP of Digital & IT at Yotel

“Security and EU GDPR is a big focus. I’ve currently got a team of five now working on it with someone dedicated to GDPR and the rest cyber security.” Lance Fisher, CIO at SThree

“When we made the move to the AWS we used this as an opportunity to build a flexible scalable security foundation. It also gave us the chance to better understand precisely what data and information we have, which is serving us well as we move towards GDPR.” Mieke Kooij, Security Director at Trainline

“I have been working with information governance colleagues to understand the ramifications of the GDPR and what we will need to do in order to comply with the new legislation.” Vic Falcus, Head of ICT at Staffordshire County Council

“The journey towards ISO27001 and EU GDPR compliance has changed the cultural and behavioural attitude across the organisation, requiring best practices to be adopted in all areas of the business.

“From an IT security perspective, Radius have worked closely with ECSC, PwC, and ContextIS to aid with Cyber Essentials Plus certification, ISO27001 progression, and EU GDPR readiness assessments.

“Radius intend to have fully achieved ISO27001 by the end of Q2 2017 and ensure full compliance with EU GDPR by the end of 2017.” Dave Roberts, CIO at Radius Payment Solutions

“We are working to improve the group’s information security position through training and awareness campaigns, and preparing for GDPR legislation due in May 2018, where we need to have significantly more insight into how personal data flows across our estate and how it is secured and protected in each of its states.” Darryn Warner, CIO at Interserve