Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationData protection

How to gear up for GDPR and create a data privacy culture

by Sarah Thompson 21 Jun 2017
by Sarah Thompson 21 Jun 2017 Creating a culture where everyone contributes to maintaining data privacy standards will help with GDPR compliance
Creating a culture where everyone contributes to maintaining data privacy standards will help with GDPR compliance

It is easy to view GDPR as just another compliance challenge, but HR can play a crucial role in ensuring everyone in the organisation contributes to a data privacy-friendly culture, says Sarah Thompson.

There is less than a year until the General Data Protection Regulation comes into force, which builds on the EU’s current privacy regime and strengthens individuals’ rights with regard to their personal data.

GDPR resources

How to start preparing for the GDPR

What effect will Brexit have on the application of GDPR in the UK?

Podcast: Introduction to the GDPR

Not only will the new law apply to EU organisations, but it will apply to any company offering goods or services or marketing to EU citizens. This will change the way businesses approach privacy.

UK companies hoping that Brexit means the GDPR won’t apply to them will be disappointed. The UK will still be in the EU when the new law comes into force and when we do leave, it is likely that the UK Government will adopt the same or similar legislation.

Breaching the law could subject a company to significant fines of up to €20 million, or 4% of an organisations’ global annual turnover, whichever is higher.

Boardroom issue

We have already seen in the media the impact that a data breach can have on a company’s public reputation and consumer confidence, which can sometimes be more damaging than the hefty fines themselves.

This is why data protection has become a boardroom issue. It is no longer a tick-box compliance task where a few policies and ad-hoc staff training will suffice. Organisations need to change that mindset and senior management need to lead by example.

The GDPR is about creating a culture within an organisation where people think about how they would want their personal information to be processed.

Companies need to adopt this attitude when handling customer, employee and other subjects’ personal data.

It’s not just about the threat of financial penalties, either. Individuals need to trust the companies they’re providing their personal information to, and be confident that they will handle that information appropriately and securely.

The UK’s Data Protection Regulator – the Information Commissioner’s Office – endorses this approach.

Change of culture

Speaking at the recent Data Protection Practitioners Conference, UK Information Commissioner Elizabeth Dedham said that she wanted “to see comprehensive data protection programmes as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK”.

Getting data protection right, she added, can have a positive impact and real business benefits: “It offers a payoff down the line, not just in better legal compliance, but a competitive edge.

“Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.”

The GDPR introduces the principle of accountability which runs through the core of the legislation.

The concept is not a new one for data protection, but for the first time it becomes an explicit freestanding principle. The principle of accountability goes beyond compliance with the data protection principles, as it implies a culture change.

Accountability needs to be entrenched in an organisation, requiring a cultural and organisational shift and for companies to take a proactive, methodical and answerable approach toward compliance.

Embedding a data privacy culture

So how can organisations bring about this organisational shift?

  • Obtain buy-in from stakeholders and senior management to create the cultural and organisational changes required.
  • Assign responsibility and budget for GDPR compliance.
  • Map data flows and document uses of personal data, how it is processed and where it is stored.
  • Implement transparent internal data protection and security policies, which are endorsed by senior management.
  • Put in place effective processes and tools to implement these policies to protect the business from the risks associated with processing personal data.
  • Implement training and awareness so staff know how to adhere to the policies.
  • Put in place processes and procedures for addressing any non-compliance and data breaches.
  • Implement and maintain clear recording of data processing to demonstrate compliance to external stakeholders and data protection supervisory authorities.

The GDPR will become law on 25 May 2018 and that is a “hard deadline”. Organisations will need to be 100% compliant from day one.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

The potential fines for non-compliance are eye watering, but it is expected that the size of fines imposed on those in breach will be mitigated if an organisation can show that it has made genuine efforts to protect personal data.

If it isn’t already, GDPR compliance should be a key priority for all organisations, regardless of their size, industry or geographical location.

Sarah Thompson

Sarah Thompson is an associate in the employment practice of international firm McGuireWoods

previous post
Digital HR: Leaders look for more investment as pace of change grows
next post
Slavery and human trafficking statements deadline approaches

You may also like

‘Polygamous working’ is a minefield for HR

14 May 2025

M&S pauses hiring as it deals with cyber...

2 May 2025

Remote working may have triggered jump in employee...

17 Apr 2025

GMC ‘erases’ records on doctors who change gender

21 Feb 2025

What’s HR’s role in ethical AI adoption?

6 Feb 2025

Top 10 HR questions January 2025: TUPE employee...

4 Feb 2025

LinkedIn accused of using user data to train...

23 Jan 2025

Deliveroo, Just Eat and Uber face calls for...

20 Jan 2025

EU AI Act: What HR needs to know

8 Jan 2025

AI Act comes into force in EU: how...

2 Aug 2024

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+