How UK CIOs are ensuring GDPR compliance

Healthcare research involves highly sensitive information that makes GDPR compliance particularly crucial for Cancer Research UK and its supporters, who need to know their data will be safe if they’re to hand over their money.

“We had a big programme of work to make sure we were compliant and to instil in all the staff here the importance of the security of sensitive data,” says Cancer Research UK CIO Tiffany Hall.

“That programme hit its target for the May deadline and wrapped up not long after that. We have a data governance and compliance board which reviews that and ensures that the staff training stays fresh. So yeah, we’re all over that one.”

Read next: Cancer Research UK CIO Tiffany Hall describes her award-winning work

Arsenal Football Club has rolled out the Acronis data-cloud solution to support its GDPR compliance effort.

The club stores a vast quantity of sensitive information, including over eight terabytes of video of every first-time and academy training session recorded at the club’s training ground. This data was previously stored on laptops and USB drives, which lacked security and accessibility, leading Arsenal to deploy Acronis for storage, backup and recovery of the recordings.

“We’re very confident that that data is stored securely, and that’s absolutely key for us,” says Arsenal FC IT Director Christelle Heikkila. “We have video footage of our global superstars, huge public interest, and intellectual property from what we do in our training sessions, and like every company, we’re subject to GDPR regulations as well, and we have to keep that safe.

“But also in terms of the ease of use, we know that we can recover 10 gigabytes of data in eight seconds, just by the touch of a button, and my engineers can do that remotely. And we’ve started to use that solution in other scenarios as well. For example, recently, we’ve been standardising on our Mac bills. And really, really quickly, we’ve been able to back up user data to facilitate that whole deployment process.”

Read next: Arsenal IT Director Christelle Heikkila explains the role of data in football

Ordnance Survey Chief Data Officer Caroline Bellamy has embraced the impact of GDPR on the governance, security and ethics that Britain’s national mapping agency needs to make its data accessible and usable.

“Like all government departments and organisations, we’re applying GDPR with reference to all of our data: our internal data, our financial data, our employee data, as well as the location data we work with. GDPR applies to everything that we do,” she says.

“I think where GDPR really does start to come into much more consideration is how machine learning is used and how these new types of capture and processing and algorithms are used. We’re absolutely clear and committed to making sure that we follow that agenda and are working with not only the public sector on deployments of GDPR, but also the commercial parts of GDPR.”

Read next: Ordnance Survey Chief Data Officer Caroline Bellamy reveals data strategy

Wavemaker Global Head of Analytics Stephan Bruneau has to implement the requirements of GDPR across a vast quantity of data from the media agency network’s clients, campaign analytics provided by partners, proprietary research, and public data.

“We’ve gone through a very extensive programme which has been driven from the top,” he says. “We’re part of the WPP Group [the world’s largest advertising agency], and there’s been a lot of advice from the legal department.

“Procedures have been written, there’s been lots of verifications by data source and by client to ensure that everyone is compliant, and lots of training as well, and there’s ongoing efforts in that area.

“There are platforms that are available as well for retaining information about GDPR and best practices in that area. We’re doing everything we can, and working with clients a lot because obviously they are impacted too and as we exchange data with clients it’s important that we’re both GDPR compliant.”

Read next: Wavemaker Global Head of Analytics reveals how data drives advertising

Ordnance Survey Chief Data Officer Caroline Bellamy has applied the new regulatory requirements to all the data at the UK’s national mapping agency, paying particular attention to the effect of emerging data science techniques.

“GDPR relates to all types of data so like all government departments we’re applying GDPR with reference to all of our data. That’s our internal data, our financial data, our employee data as well as the location data we work with,” she says.

“I think where GDPR really does start to come into more consideration is how machine learning and how the new types of data capture and processing and algorithms are used.

“We’re absolutely clear and committed to making sure we follow that agenda and working on not only the public sector deployment of GDPR but also the commercial parts of GDPR so we’re fully aligned to that.”

Read next: 2018 CIO Summit – How to put data at the heart of business strategy

Freshfields CISO Mark Walmsley has used the introduction of GDPR to make data protection a priority across the Magic Circle law firm.

“GDPR makes both businesses and their members of staff more accountable. That’s really important in cyber security and it also means that it is a higher priority,” he says.

“You can actually use it as a bit of a lever, because when we’re looking at protecting data, we don’t necessarily distinguish between client confidential and personal data. It has the same high value to us. If you have a regulation that looks at personal data and requires you to behave in a particular way, that allows us to leverage that behaviour against the rest of our datasets and processes.

“A lot of people moan about it. It’s finding its feet. It’s aggressive. It’s got teeth. As an industry do we think it helps us? Yeah, I think so.”

Read next: Freshfields CISO Mark Walmsley explains how he manages insider threats

Heathrow Airport has been using biometric security for 10 years, but had to review its data protection practices to ensure they were GDPR compliant.

“We’re very conscious of the GDPR and privacy discussions on the requirements,” says CIO Stuart Birrell.

“Whatever we do will be done and has to be done in conjunction with the government and the public’s concerns. If the public don’t want and don’t accept it than we can’t do it. There’s a balance to be had.”

Read next:  Heathrow Airport CIO Stuart Birrell’s new IT operating model delivering digital workplace and business innovation

First Central Group CIO John Davison had to strengthen some of the insurance company’s data protection policies to comply with GDPR, but the company’s existing privacy culture meant there was not too much work to do.

“One of the advantages for First Central is that we kind of set ourselves up with one of our key principles about how valuable information was,” says Davison.

“Therefore when GDPR came in, it was not as difficult for First Central to implement because we already had a very strict and stringent approach to data classification, data security, data storage. So whilst we had some work to do to make sure that we complied with the way the regulation had changed, it wasn’t that difficult.

“When we look at the data lake, for example, GDPR influenced what we could store in the data lake and how accessible that information would be, because GDPR requires you to have a legitimate use for the information. So we had some work to do, but it wasn’t as challenging as I know some of my peers have found it.”

Read next:  First Central Group CIO John Davison explains how data science and AI are transforming insurance industry

Virgin Trains CIO and Project Director John Sullivan used Box to help fulfill the company’s GDPR requirements around scanning information from digital tickets.

“With GDPR, I think you have to be proactive, and if you do have any issues, then you have to be able to show the process that you’ve gone through to identify and resolve the issue,” says Sullivan.

“For the process of mass scanning of data when it’s needed and notifying the right person, you can set those rules up as you feel fit. When you set the rules up for scanning in the cloud, it’s all done quite quickly.”

Read next: Virgin Trains CIO explains how he ensures adoption of new services

Steinhoff UK CIO Chily Fachler took the company through a comprehensive GDPR training programme to ensure staff knew what was required of them. To prepare Steinhoff UK for the unexpected, he arranged for a group of ethical hackers to come to the company’s head offices and try to compromise its network so Fachler could identify any unknown weakness in the company’s defences.

“I never say that we’re on top of it because you’re never on top of security, but we spend a lot of time and focus on it,” he says. “We have taken an interesting approach; you have to tick all the boxes, whether that’s PCI or data protection. But we’ve decided, that because you can tick the box, it doesn’t mean you’re secure.”

He added that he was positive about the impact GDPR will have.

“GDPR will change the way retailers engage with customers. I’ve never been that convinced that datasets of customers are as useful as some people think. But I think GDPR is a good thing. It protects our rights as consumers and it makes us as companies be much more focused about what we need that data for.”

Read next: Steinhoff UK CIO Chily Fachler interview – Board representation and customer experience innovation

When Picsolve CTO Dan Maunder wanted to add facial recognition to its rollercoaster ride photos, he needed to ensure that the new system would be GDPR compliant.

“We wrote to the Information Commissioner’s Office as part of the GDPR process and asked if we could capture this information. They said: ‘Absolutely. It’s a legitimate business interest and something that we see you’d hugely benefit from’.”

Read next: Picsolve CTO Dan Maunder redefines theme park photography

The Restaurant Group CIO Simon Iddon has taken a number of measures to ensure GDPR compliance, but he believes that many of the Information Commissioner’s guidelines around regulations such as PECR (Privacy and Electronic Communications Regulations) mean the fundamentals of GDPR have been in place for some time.

“GDPR has been around for two years and shouldn’t have come as a surprise,” says Iddon. “From a business point of view there’s obviously new stuff; more rights for consumers, more informed consent and definitions of what personal data is. But it shouldn’t be a massive sea change in what people are doing – organisations should be doing this anyway.”

Read next: The Restaurant Group CIO Simon Iddon on front-end and back-end transformation

Scottish Local Government Chief Digital Officer Martyn Wallace describes GDPR as “the elephant in the room” with “quite a lot of snake oil salesmen in the sales community at the moment with the latest offering which is a silver bullet”.

His strategy for compliance is to replicate what the leading councils are doing across the rest of Scotland’s 32 local councils.

“Ideally for all my projects in the Digital Office we do something once and we replicate it 32 times,” he said.

This strategy meant his team only had to interpret the rules once in order to replicate their practices across local government in Scotland.

The Prince’s Trust has to process a vast quantity of sensitive information in its work with vulnerable young people, which makes GDPR preparations a big project for the charity. Staff often have very intimate conversations with the people they support, some of whom have been the victims of serious abuse.

“Whereas a lot of organisations try and depersonalise their data in order to protect themselves and the data, we have to have the right balance where we’re able to have those very intimate conversations with our young people, because that’s how we support them,” explains Prince’s Trust CIO David Ivell.

“But we also then have to protect that data and make sure that only the relevant people who need to see that information do see that information.”

To ensure that the charity can strike this balance, a programme is underway looking at GDPR across the organisation, from fundraising to all systems used internally and those used by the people it supports.

“We’ve had to update a lot of our technology that is customer-facing,” says Ivell. “We’ve basically got rid of paper at the front line and we’ve gone for encrypted tablets.”

Read next: Prince’s Trust CIO David Ivell on how tech is helping young people

GDPR is a key project for City, University of London CIO Claire Priestley. She has to protect the information of staff, the university and almost 20,000 students, and prepare for a future personalised education driven by their data.

“Eight months ago I restructured again and introduced an information assurance pillar because of the importance of data, not only compliance but also data security, data quality and data mobility, so I introduced this new pillar to underpin a data strategy,” she says.

“I’m more confident than concerned. We all think we are in relatively good shape I think, and when I benchmark against my sector peers, we’re there or thereabouts, but of course, it’s an unknown. We’ve certainly been working on this for a good couple of years now so we’ve got a lot on track.”

Read next: City University Director of IT Claire Priestley describes how data can create personalisedstudent experiences

Ascential CIO Sean Harley has been working with the media company’s head of legal to set out a GDPR readiness strategy for all of the business’ variety of brands.

“A lot of people look at this as a marketing problem, a lot of people look at it as solely a legal issue. We’re looking at it as a company issue,” says Harley. “It’s a marketing issue, it’s an HR issue, it’s a legal issue, it’s a technology issue and a data issue and we are all taking responsibility for that.

“We’ve got a good, focused all-in structure to ensure that we hit the various deadlines that are coming up next year and to make sure that we’re doing what we need. We’re also changing some of our processes to make sure that we are meeting our requirements as a B2B business.”

Read next: Ascential CIO Sean Harley on technology strategy and guiding media company through its successful IPO

AEG Vice President of IT in Europe David Jones has to protect data at an array of entertainment venues across the continent, including the O2 in London, the AccorHotels Arena in Paris, the Ericsson Globe in Stockholm and the Mercedes-Benz Arena in Berlin.

His primary concerns about GDPR are over the clarity of guidelines and interpretations of the regulators, although his work in the stricter privacy regime of Germany means his company is likely better prepared than most.

“The reality is probably that many organisations aren’t anywhere near where they should be,” he says. “I think one of the big challenges with GDPR is there’s probably quite a big lack of clarity about actually what the regulations will really mean in day-to-day life.

“We’ve got complexity, we’ve got businesses in three European countries. And of course the benefit of GDPR is that all those businesses will then be conforming to one common set of standards. The reality of course is it won’t be like that because each regulator will interpret things slightly differently.

“To a certain extent we’re already dealing with some of the GDPR themes in Germany, because Germany’s just been ahead of the game on this one, particularly with things like marketing consent.”

He hopes that greater clarity will develop when the Information Commissioner’s Office (ICO) issues its first fines for breaches.

“I think we’re all hoping the ICO will go after the likes of Google and Facebook first rather than smaller organisations, and that will help set some sort of case law,” he says.

Read next: AEG CIO David Jones interview – Digital innovation and live disruption

Radius Payment Solutions CIO Dave Roberts has been working towards GDPR compliance in conjunction with preparations for the ISO 27001 Information Security Management certification.

The IT security risk and compliance team at the payment and fleet services company has been focused on preparing for the requirements. The company has also sought legal expertise to undertake a gap analysis and develop a GDPR strategy.

“We were able to identify to the auditors that came in what we’ve done to date against the 114 controls and ISO 27001, and then mapped some of those to GDPR legislation,” says Roberts.

“We’re in a pretty good position for achieving ISO 27001 which has given us a significant leg up for GDPR.

“I think one of the key messages I always talk about with GDPR is it’s not an IT project, it’s a business project so we’ve got stakeholders from across all the different functions across our business involved in our GDPR steering committee.”

Read next: Radius Payment Solutions CIO Dave Roberts diversifying products and scaling team to drive business growth

Yodel CIO Adam Gerard has been ensuring that staff at delivery service company are prepared for GDPR compliance.

“My data protection specialist is already trained up,” he says. “I have a great IT cyber specialist who is fully up to speed with it and understands the concerns in that space as well. So the two of them are going through with a fine-tooth comb; all our data sources, all our applications – what does this mean for us?

“I think we’ve got the right kind of rigour, and I think we understand the process we need to get through. There are a lot of areas of working, and that’s just on the technology side. A lot of people forget that data protection isn’t just about what’s stored on the systems.

“Fortunately my team are smart enough to know this and are out there, looking at all the different processes that could potentially have personal information written down as well as stored.”

Discussions with his fellow CIOs have convinced him that his company is more prepared than most.

He believes his company has a duty to protect the data of its customers, and that those who aren’t convinced of the benefits of GDPR compliance should at least be wary of the risks of breaching the requirements.

“I wouldn’t be surprised if very quickly, once the regulations are formally enforced, the ICO go after somebody,” he says. “I absolutely do not want that to be my organisation, so we will be compliant in time.”

Read next: Yodel CIO Adam Gerrard interview – Delivering transformation and ensuring EU GDPR compliance

Trainline CTO Mark Holt is one of many IT executives who is treating GDPR as an opportunity as much as a challenge.

The train ticket retailer takes what he calls a”GDPR-compliant approach” to its use of data, a strategy that has ensured preparations are on track, data is secure and customers can trust the company.

“We do obsess about it and keep an eye on it,” he says. “I’m a big fan of GDPR and I think organisations should already be working in that way.

“If you don’t already care to the level that GDPR requires you to about your customers’ privacy then there’s something wrong.”

Read next: Trainline CTO Mark Holt on crowdsourcing customer data to drive innovation at scale