Skip to content


Just a 'tick in a box' – or an opportunity to create value?


Time until GDPR enforcement:


The EU General Data Protection Regulation (GDPR) is a game-changer. The penalties for a breach have the potential to move from hundreds of thousands to millions of pounds, dollars or euros. Requirements around unambiguous consent and the right to erasure mean organisations fundamentally need to re-think how they manage and retain data. Compliance with the GDPR requirements is mandatory for all organisations that handle personal data of EU citizens.

PA digital trust and cyber security expert Elliot Rose on the importance of the EU GDPR
PA digital trust and cyber security expert Elliot Rose on the importance of the EU GDPR

Organisations have a choice. They can treat it simply as another compliance issue. Or, they can take a more business and customer-centric approach that will allow them to explore how they can manage personal data to help make more informed decisions and create a better experience for their customers and other stakeholders. 

We are helping organisations around the world understand the impact of the GDPR on their business and their readiness against the requirements, create a project framework to ensure compliance and, where appropriate, identify opportunities to use data to improve decision-making and customer experience.

The key changes

The GDPR brings in major changes from the current Data Protection Act, including a fundamental change to the way organisations manage personal data. Essentially, the GDPR means that organisations will need to take a more proactive approach towards management of personal data and subsequent monitoring, and reporting. The figure at right shows our view of the key changes arising from the EU GDPR.

In addition, we have identified the top three priority areas for any organisation. Each of these areas will change the way organisations ensure protection of personal data:  

  • the right to erasure and data portability will require organisations to have a complete understanding of the information flow ecosystem 
  • privacy within systems and organisational culture will need to happen by design, rather than as an after-thought 
  • liability extension to third-party data processors will enable organisations to have clearly defined accountabilities and agreements.

Impact of Brexit

With the UK preparing to leave the EU, some organisations are choosing to take a ‘watch and wait’ approach to the GDPR. However, the GDPR applies to any organisation that trades in the EU or with EU citizens, or handles EU citizen data. Furthermore, we believe that the Information Commissioner’s Office will be keen to ensure consistency with the EU in order to encourage and facilitate cross-border trade and operations post-Brexit. In short, companies should proceed with their GDPR planning – either because they process EU citizen data or because the UK is likely to implement laws that are essentially identical to the GDPR.

How we can help

Our experts can help identify the impact of the GDPR on your organisation and shape, mobilise and deliver transformation programmes to achieve compliance, embed privacy within your organisation and generate business benefits.

  • we offer a six-week sprint to assess readiness against the GDPR requirements and define a remediation programme in line with risk appetite. Our gap assessment framework takes into consideration not only the GDPR requirements but also other privacy best practices 
  • we have a multi-disciplinary team of specialists – covering data protection, cyber security, regulation and compliance, risk management and business change – who can help design and implement a sustainable privacy and data protection programme 
  • we are close to the GDPR solution providers and understand the complexities of integrating the GDPR into operational environments. 

Our experience

We combine proven experience and technical expertise in assessing and delivering information management, data protection and GDPR programmes across industries. In addition to our wider regulation and compliance work, we have been working at the forefront of the GDPR implementation since the outset. Some of our recent work includes:

  • helping a UK-based retail bank to conduct a detailed assessment of their existing data protection capabilities against the UK Data Protection Act and the GDPR and identify key areas of improvement and remediation
  • carrying out an assurance review of a central bank’s existing GDPR implementation programme to identify potential gaps against the regulation and helped them re-prioritise their activities to ensure compliance
  • conducting a detailed data security gap assessment against the requirements of international standards for a large UK retailer. We identified the main risks, provided pragmatic remediation advice, prioritised risk and delivered a large data protection improvement programme.

More broadly, we have extensive experience in helping organisations to build digital trust and improve their cyber security.

Latest case storyTrunomi: Meeting the challenge of new data protection regulations

Related insights

Contact the authors

Contact the digital team

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.