Wednesday 03 May 2017, Bristol

PWC West and Wales Cyber Security Lead, Rhodri Evans, treated members of PM Forum South West to an entertaining talk on the incoming General Data Protection Regulations (GDPR). Rhodri set the tone at FootAnstey’s office on Victoria Street by declaring amazement that so many marketers would show up to one of his talks. As the amusement subsided he proceeded with the GDPR essentials.

These included: 

  • Heavy penalties of up to 4% of global turnover for data failures.
  • Increased focus on operational adequacy and accountability.
  • More invasive regulation.
  • Mandatory breach disclosure.
  • US-style class actions for privacy breaches.
  • New liabilities in supply chain.


Three pillars of GDPR

Rhodri went on to explain how GDPR has been built on three pillars.

The first pillar is a transparency framework. Organisations must be much clearer about how they use personal data. In addition, they will be required to disclose data failures.

The second pillar is the compliance journey. This means that all data use will have to be documented and handled correctly from the outset. Actions like privacy impact statements will need to be carried out as a matter of course, and a “right to be forgotten” will give people a greater power to demand that their data is deleted.

The third pillar is the punishment regime. This ensures that regulators can pack a powerful punch. They will have tougher enforcement powers such as the stiff financial penalties mentioned earlier. Furthermore, there will be compensation rights for those who experience distress from data mishaps and litigation rights for civil organisations. 

The current issues as firms prepare for GDPR

GDPR will become active on 25 May 2018 – so one year from the time of writing, people.

Will Brexit have an impact? Probably not. Brexit certainly won’t have happened by next May, so the rules will be active in the UK. But even after Brexit actually happens, it is unlikely that a future government is going to want to make UK citizens less protected than their European counterparts. Therefore, the GDPR rules - or similar - are still likely to apply.

Rhodri highlighted six current issues that firms are facing as they prepare for GDPR, based on research by PWC. These were vision and strategy; design; data accuracy; data retention; accountability; and assurance.

Picking up on just one of the statistics he provided to back these issues up, the research showed that 93% of businesses were not ready to satisfy the accountability principle of GDPR. This was due to insufficient documentation and limited understanding of the requirement.

Seven steps for marketing professionals preparing for GDPR 

  1. Gain clear understanding of what data you have, its location and who can access it.
  2. Sketch out where your data is.
  3. Think about which third parties you pass data through.
  4. Are you aware of the risks that third party handling exposes data to, and are they managed?
  5. Do you have contracts with data protection clauses with your third parties?
  6. Do you only use data for purposes you have disclosed?
  7. Do you carry out privacy impact statements for projects which concern personal data?

Privacy impact statements, risks and summing up

Rhodri concluded his talk by discussing privacy impact statements and what he saw as the risks associated with holding personal data. These included holding inaccurate, excessive or irrelevant data; hanging on to data for too long and using it in unacceptable or undisclosed ways. And, of course, not keeping it securely.

The number of questions posed in the Q&A revealed how seriously the PM Forum South West members took the subject. And Rhodri’s closing analogy, which began as relating data protection to guarding children in a garden (before shifting to sheep in a field when it got a bit weird!), perfectly concluded an enlightening talk on what could have been a dry subject.

Written by Huw Bendon, South West Regional PR
Managing Director and Founder, On Point Copywriting