Richard Holmes

Richard Holmes

Head of Cyber Security Services

How a policy of privacy by design sets your business up for the long term

While for some GDPR was BAU, others a huge effort, and a bit of a panic for a minority, one of the most significant outcomes is the perception that cyber security is no longer just ‘an IT thing’. It’s a board-level issue.

Where previously it’s been difficult to get ‘buy-in’ from the company as a whole, GDPR and the dialogue around it has put privacy and security into the forefront of everyone’s minds. Those who have embraced GDPR have probably established privacy by design as an inherent part of their business.

We should remember though that GDPR is simply one part of good cyber security which is, in turn, part of effective use of IT for business.

Late in 2017, CGI UK commissioned and directed the Centre for Economics and Business Research (Cebr) and Opinium to conduct a survey and research around attitudes towards and preparedness for GDPR. Opinium surveyed 250 UK businesses with 29% of survey respondents drawn from companies with more than 2,499 employees and 72% from companies with more than 249 employees.

Nearly 70 percent of these companies have either met or are on track to exceed GDPR requirements by May 2019. If you are one of them, you may’ve spent some effort retro-fitting the necessary companywide processes and systems to conform now and for the long term.

These systems and processes should certainly work, but are they really optimal? Is there an opportunity here for further improvement?

If your company is one of the 69 percent, then GDPR can put you in a position where cyber security:

  • is no longer just an IT problem.
  • created awareness throughout the company.
  • is now ‘business as usual’.

Just as important, because of the actions taken to prepare for GDPR, you may now have:

  • A data audit and registry (internal and ideally third party)
  • Company wide information security policies
  • Third party security policies
  • Management awareness and interest
  • Trained staff with awareness and interest.


In effect, GDPR has put you in a good position to create your next generation data structures, applications and processes. You may now have cleaner data, and an understanding of where it is, and hopefully, how it’s used. Your staff may know that collecting data and holding it for years is no longer an option, and you know what were the greatest difficulties in retro-fitting cyber security.

Further opportunity could be to create integrated systems where security is built-in, not bolted-on through privacy by design and default. That’s something that virtually everyone understands as being inherently a better approach to reducing security risk. GDPR has now given business a higher security baseline for organisations and it’s probably better than we’ve had in the past.

Good cyber security brings commercial advantage; it reduces risk, it increases customer and supplier trust (brand value) and, if it’s easy to use, it saves man-hours.

The messages to non-IT / non cyber security management are:

  • It’s worth now making investments in new systems
  • Security and good data management is marketable
  • This is part of customer and supplier relationnship
  • It can save money in the long term.


Whether building applications or improving infrastructure, it makes sense to take a customer-centric view of data flows and overall information management. First, it’s an approach that supports a customer-centric business and second, it’s one that aligns to GDPR’s similar stance.

It’s also an approach that helps tie together the various parts of the company involved. With 93 percent of business surveyed reporting that they provide staff training (11 percent reported that they do so once per week), cyber security is something that cuts across sales, marketing, business analysis, procurement, logistics and accounting. It might be that you’re now in a position to help marketing or accounts do customer analysis without holding personal information through techniques like pseudonymisation, where sensitive personal data is replaced by artificial identifiers.


Where customer data flows go outside the company, it may only be now that your suppliers have an appreciation of what data (of yours) they hold, having implemented their own GDPR initiatives. Now may also be a good time to ensure that supplier contracts contain clauses that make clear the apportionment of liabilities and risks associated with meeting GDPR requirements. Or simply, now that you better understand your data, can you improve the information exchange between companies while maintaining data protection?


It should go without saying (but doesn’t!) that the easier it is to operate a security policy, usually the better your cyber security. Over 75 percent of companies in our survey reported that they use standards e.g. ISO27001, regularly or frequently in their approach to privacy by design. If you’re one of them, it’s still worth asking; how well embedded and implemented are those standards?

r holmes aug 2018 privacy post charts codes of conduct

You may find that it’s only now that the company is working within these standards that you can identify where technology support would make it easier for staff to follow them.

As an example; if you’ve adopted an information classification and handling policy such as BS10010 are there parts of it that could now be automated? It could be a system to help mark e-mails according to classification, building secured data stores for unstructured data on laptops and phones, or it could just be online help available to understand what makes information sensitive.


GDPR has now set a baseline for handling customer information that can be applied and that is understood across your organisation, and the organisations you deal with. The result is a common, simplified starting point for building new business processes with privacy built-in, not bolted on. That makes it easier for your staff, suppliers and customers to work in a secure environment. That could be used as a marketable, commercial advantage.

Let us know how GDPR is being treated in your organisation. Is it an area of risk, or a business opportunity, or both? Please leave a comment or get in touch.

About this author

Richard Holmes

Richard Holmes

Head of Cyber Security Services

Richard leads cyber security services for CGI in the UK. The group provides a balanced portfolio of services across a broad range of sectors from Defence and Intelligence, Energy and Utilities, as well as the commercial sector. Engagements include the design and delivery of major ...