I always think data protection is a bit like housework. It's only when you don’t do it that it becomes noticeable. The dust starts to gather, the floors get sticky, windows get streaky and visitors start refusing offers of cups of tea on (unspoken) health grounds. You only notice the gaps in your data protection practices when something goes wrong and you have to handle the fallout.


That has been the way with data protection in Europe over the past 20 years. Companies mostly muddled along. Very few houses were spotless and no great harm came to most of them.


The GDPR is clearly aiming to change all that. My reading of the legislation is that its adopting a “carrot and stick” approach.

The stick is, of course, the headline-grabbing fines that can be levied on businesses who fail to meet their data protection responsibilities.  4% of global turnover or €20 million is a significant figure for any company. It’s no wonder that a lot of the focus in the press has been on that.

The carrot is more interesting. The GDPR is clearly setting the groundwork for more self-regulation by introducing tools that companies can deploy to ensure compliance. (I’ll cover these tools in more detail through the series. Sign up below so you don’t miss any updates. Contact me if you’d like to suggest a topic).

Companies are wondering what they need to do to be ready for May 25th 2018.  No-one wants to be the first to fall foul of the new regulations and get caught up in business limiting headlines themselves.


These THREE GOLDEN RULES will get companies off to a great start.

  1. If you are collecting personal data of your customers, employees or suppliers RESPECT IT. DO this by ensuring your employees always handle the data correctly and carefully. Understand the principles of data protection and apply them rigorously to all your data and across your organisation.
  2. Get the RIGHT GOVERNANCE STRUCTURES in place for handling personal data. Assign a qualified data protection officer and carry out a Data Protection Impact Assessment. The GDPR requires these for all companies with more than 250 employees. Your data protection officer doesn’t have to be full time. They can be contracted into the company for the role but they need to understand data protection. They need to be capable of carrying out a comprehensive DPIA and they need to report into a senior management level in the company. A good DPO and a well-executed DPIA will give you an action plan for GDPR readiness.
  3. Ensure your LEGAL FRAMEWORK is clear. Know whether you are a data controller or a data processor and ensure you understand and meet the requirements of your role.

Of course, it’s easy to make this sound simple and much more difficult to actually apply these rules so that they are effective. None of these activities will happen overnight. There is already a shortage of qualified and knowledgeable DPO so the queue for their services will be long (book now to avoid disappointment!). But I am convinced that the companies who start right now and get these three fundamentals right will be the companies best prepared for DP-Day in May 2018.

Join Our Newsletter

Sign-up to receive news and information from Fort Privacy

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information

Ode to DPO’s managing GDPR risk

27 June 2023

The General Data Protection Regulation is “risk” based legislation.  This means that the protective measures an organisation implements should correspond to the level of risk associated with their data processing activities.  It’s worth noting that the risk that should be considered here, is the risk to the data subject as opposed to risk to the business of non-compliance.

Get your head above the crowd and KPI your Data Protection Programme

03 March 2023

Data Protection Programmes are all the rage these days. It’s great to see the compliance conversation moving in this direction. As a Data Protection Officer (DPO), I know the difference between working with a solid data protection programme and working with none and all.

Scroll to top