As GDPR looms – CPO/DPOs can play a lynchpin role

The enforcement date for the General Data Protection Regulation (GDPR) is approaching rapidly. As we near the 25th May, 2018, deadline it is crucial for businesses holding European customer data to appreciate what is required from them under the GDPR. There is no way to sugar coat it. This is the biggest overhaul of data handling that we have ever seen and the implications for failure to comply are huge. Companies will need to be compliant at every level to avoid any surprises – in the form of large-scale fines for data breaches, or not being prepared for an avalanche of data access requests.  

While this represents a very tight timeframe within which to prepare and enact any changes, under the new legislation, there are a few initial steps that businesses can take. These include auditing stored personal data, its type and where it originates from. But also the assessment of privacy notices, procedures around access to data, processing the deletion of data and existing policies around how consent is sought, recorded and managed.

May 2018 shouldn’t just be thought of as an impending deadline to be met and then cast aside. Staying compliant to the GDPR is going to require constant supervision – and this is where establishing a Chief Privacy Officer (CPO) or Data Protection Officer (DPO) is invaluable.

The DPO role has become increasingly common over the last several years, following marked increase in both cybercrime and the sheer number of data breaches. By its very nature, the DPO is a role that has to evolve – which makes them perfect for getting a business on track for GDPR compliancy. The DPO can be responsible for overseeing a wide range of areas, but particularly studying the risks inherent in the business’s current sharing of, and access to, personal data – and ensuring systems are robust and secure.

Having a DPO take the lead on this activity supports the foundation of GDPR compliant procedures and the detection, reporting and investigation of data breaches. Moreover, that the right people have access to the right data and that said data is secure. A DPO can bring that knowledge, around the effective and secure sharing of data, under law, to bear at the board level. This is something that business should embrace at a higher level – above just pure compliance. In doing so, DPOs can collaborate closely with those holding the purse strings to decide what processes and solutions are critical to support DPOs in gaining a holistic view of all customer data – and how it is being used. This is particularly the case when considering the large-scale fines that GDPR can introduce, and the subsequent damage to corporate reputation.

To see how Symphonic supports GDPR in public and private sector organisations, visit