Blog: One year to GDPR - what do businesses need to do?

George Scott
George Scott

With today marking one year until General Data Protection Regulation (GDPR) comes into force, George Scott, Director of KPMG’s Cyber and Privacy practice in Scotland, highlights what business must do to ensure they don’t fall foul of the new legal framework


On 25 May 2018, GDPR will affect any organisation in the UK and worldwide which has dealings with consumers and businesses in EU member states. It will fundamentally alter the scale, scope and complexity of the way personal information is processed. The regulation will require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information. These changes are going to be complex and take time, and as such, most organisations cannot afford to wait.

It’s worrying that with only a year to go, many organisations still have a lot to do. The truth is many businesses do not comprehend the scale of the task and how to deal with it. Unknowns around Brexit also pose uncertainty on what GDPR will mean to the UK, post-Brexit.

However, when it comes to Brexit, it is critical to understand if the UK is going to continue to trade with the EU, the free flow of personal information must be maintained. As such, we have to have an adequate privacy ecosystem in operation in the UK which is aligned to the requirements of the GDPR. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else post-Brexit.

To avoid issues and subsequent enforcement, including fines of 4% of global turnover or €20m – whichever is greater, businesses must:

  1. Raise awareness at the board level – Boards need to understand the implications of the GDPR and buy in to the need to make enhancements. Funding must be made available to undertake a privacy improvement programme.
  2. Understand current state and set desired state – Conduct a gap analysis against the GDPR to understand where your organisation is protected and where it needs to either increase security for more sensitive data, or, modify current information handling processes.
  3. Plan and implement – create a plan to enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan.
  4. Share icon
    Share this article: