Richard Holmes

Richard Holmes

Vice President

How a policy of privacy by design sets your business up for the long term

While for some, compliance with the General Data Protection Regulation (GDPR) was business as usual (BAU), for others it represented a huge effort—and a bit of a panic for a minority. No matter an organization’s readiness, one of the regulation’s most significant outcomes is the perception that cybersecurity is no longer just “an IT thing.” It’s a board-level issue.

Where previously it’s been difficult to get buy-in from the company as a whole, GDPR and the dialogue around it has put privacy and security into the forefront of everyone’s minds. Those who have embraced GDPR have probably established privacy by design as an inherent part of their business.

We should remember though that GDPR is simply one part of a good cybersecurity and data privacy strategy, which, in turn, is part of the effective use of IT for business.

Late in 2017, CGI in the UK commissioned and directed the Centre for Economics and Business Research (Cebr) and Opinium to conduct a survey and research around attitudes toward and preparedness for GDPR. Opinium surveyed 250 UK businesses with 29% of survey respondents drawn from companies with more than 2,499 employees and 72% from companies with more than 249 employees.

Nearly 70% of these companies have either met or are on track to exceed GDPR requirements by May 2019. If you are one of them, you may have spent some effort retrofitting the necessary companywide processes and systems to conform now and for the long term.

If your company is one of the 70%, then GDPR can put you in a position where cybersecurity:

  • Is no longer just an IT problem
  • Creates awareness throughout the company
  • Is now business as usual

Just as important, because of the actions taken to prepare for GDPR, you may now have:

  • A registry of the data identified in an audit
  • An audit regime, to maintain its accuracy
  • Companywide information security policies
  • Third-party security policies
  • Management awareness and interest
  • Trained staff with awareness and interest

The opportunity

These systems and processes should certainly work, but are they really optimal? Is there an opportunity here for further improvement?

In effect, GDPR has put you in a good position to create your next-generation data structures, applications and processes. You may now have cleaner data, and an understanding of where it is, and hopefully, how it’s used. Your staff may know that collecting data and holding it for years is no longer an option, and you know what the greatest difficulties were in retrofitting cybersecurity.

Further opportunity could be to create integrated systems where security is built-in, not bolted-on through privacy by design and default. That’s something that virtually everyone understands as being inherently a better approach to reducing security risk. GDPR has now given business a higher security baseline for organizations and it’s probably better than we’ve had in the past.

As part of our CGI Client Global Insights reports, based on interviews with 1,400 business and IT executives across the globe, industry leaders told us that cybersecurity and regulatory compliance figure prominently among their business and IT priorities.

Good cybersecurity brings commercial advantage; it reduces risk, it increases customer and supplier trust (brand value) and, if it’s easy to use, it saves man-hours.

The messages to non-IT / non cybersecurity management are:

  • It’s worth now making investments in new systems.
  • Security and good data management is marketable.
  • This is part of customer and supplier relationship.
  • It can save money in the long term.

Customer centricity

Whether building applications or improving infrastructure, it makes sense to take a customer-centric view of data flows and overall information management. First, it’s an approach that supports a customer-centric business and, second, it’s one that aligns to GDPR’s similar stance.

It’s also an approach that helps tie together the various parts of the company involved. With 93% of business surveyed in the UK study reporting that they provide staff training (11% reported that they do so once per week), data protection is something that cuts across sales, marketing, business analysis, procurement, logistics and accounting. It might be that you’re now in a position to help marketing or accounts do customer analysis without holding personal information through techniques like pseudonymization, where sensitive personal data is replaced by artificial identifiers.  


Where customer data flows go outside the company, it may only be now that your suppliers have an appreciation of what data (of yours) they hold, having implemented their own GDPR initiatives. Now may also be a good time to ensure that supplier contracts contain clauses that make clear the apportionment of liabilities and risks associated with meeting GDPR requirements. Or simply, now that you better understand your data, can you improve the information exchange between companies while maintaining data protection?


It should go without saying (but doesn’t!) that the easier it is to operate a security policy, usually the better is your cybersecurity. Over 75% of companies in our UK survey reported that they use standards, (e.g. ISO27001) regularly or frequently in their approach to privacy by design. If you’re one of them, it’s still worth asking: How well embedded and implemented are those standards?

You may find that it’s only now that the company is working within these standards that you can identify where technology support would make it easier for staff to follow them.

As an example; if you’ve adopted an information-classification and handling policy such as BS10010, are there parts of it that could now be automated? It could be a system to help mark e-mails according to classification, building secured data stores for unstructured data on laptops and phones, or it could just be online help available to understand what makes information sensitive.

In summary

GDPR has set a baseline for handling personal information that can be applied and that is understood across your organization, and the organizations you deal with. The result is a common, simplified starting point for establishing new business processes with privacy built-in, not bolted on. That makes it easier for your staff, suppliers and customers to work in a secure environment―which could be used as a marketable, commercial advantage.

Let us know how GDPR is being treated in your organization. Is it an area of risk, or a business opportunity, or both? Please leave a comment or get in touch.

About this author

Richard Holmes

Richard Holmes

Vice President

Richard leads cybersecurity services for CGI in the UK. The group provides a balanced portfolio of services across a broad range of sectors including defense and intelligence, energy and utilities, and other commercial sectors. His engagements include the design and delivery of major transformational programs, ...