“GDPR doesn’t really apply to us. We don’t work with personal customer data.” 

–      GDPR is the General Data Protection Regulation (EU Regulation 2016/679) that becomes enforceable by 25th May 2018. http://www.eugdpr.org

I kind of understand this view, because topics such as digitalisation, Internet of Things (IoT) or Industry 4.0 already stir up the engineering industry. And let’s be fair, developing new business models with new connected devices, providing new customer services based on innovative data analytics or becoming more efficient using mobile devices is way more interesting and sexy than data protection.

In my view however, this approach is risky. E.g.: GDPR does apply, if you store data from a person who is based in the EU. This can be a customer, ex-customer, supplier, ex-supplier or an employee or former employee. Personal identifiable data (PII) can be simple things like name, email address, photo, post in a social network or even an IP address. It depends on your business and information management architecture. So, in my opinion the chance, that you don’t have to comply with GDPR is quite small.

>> And yes, it is true, I am a business consultant and project manager, who is interested in making business and I probably can help you in becoming GDPR compliant. <<

What I currently see is, that companies in heavy regulated industries, such as banking, pharmaceutical or insurance are already working intensively on becoming GDPR compliant. Companies whose main business does not focus on personal data seemed to be less concerned about this topic, despite potential fines of up to 4% of annual global turnover or 20 Million Euro (depending on what is higher).

Is there a need to panic? I don’t think so. But as a business owner, I would want to be prepared and I would want to know what to do, in the case of an event.

What can happen after May 25th 2018 (example)?

Let’s say, a person named Suzy Blue sends a request to you, in order to tell her what kind of data you store about her, where and for what purpose.

You now have 30 days to answer.

1.   You need to know where you store your data and what for. So create a data / information inventory listing your systems and their purpose. PII data might also be stored in customer/supplier exchange platforms or probably on project file shares. You also need to be able to search in these systems fast. .pdf files of CVs should be searchable!

Task: Create a data / information inventory

2.   Suzy can request to get the data in a portable format.

Here you need to be able to transform her data into a format that is a “commonly use and machine-readable”. Example: .pdf

Task: Define, how you will transform the data.

3.   Suzy can also request, that her data gets deleted (right to be forgotten).

Now, you need to define which data of Suzy can be destroyed and which data you need to keep for legal records retention requirements.

Task: Define your records retention requirements.

4.   If there is a data breach, you need to inform Suzy within 72 hours, if her data has been violated. Example, if such a breach happens on a Friday, you need to inform her by Monday.

Task: Create a data breach procedure / checklist.

I am pretty sure, that most companies have this information or have thought about it. So now it’s time to create a task list the data protection officer can pull out in the event of a request or a data breach. For future IT system implementations, GDPR should be taken into account (privacy by design).

And I am still here, for doing business. If you think I can help, send me an email: office@passion2practice.com

Links I like regarding GDPR … and btw youtube is also a great resource:


Presentation by @Atle Skjekkeland

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *