With just over three months left to prepare for the new General Data Protection Regulation coming into force on 25 May 2018, many businesses view GDPR as a four letter word.

Driven by the ‘stick’ of significant fines and reputational risk, many businesses have adopted a GDPR plan to address compliance in time for the new regulation – but what many businesses overlook is the ‘carrot’ of the GDPR and some of the opportunities it offers.


Carrying out a data mapping and data flow analysis allows companies to improve their understanding of their data. During an exercise of this nature many businesses find that personal data is replicated in several repositories across the organisation. Applying the data minimisation requirements of the GDPR encourages businesses to consolidate information into a single source and this can significantly reduce data storage costs.


Compliance with the GDPR’s requirements to put in place appropriate “technological” and “organisational” measures to ensure data security is an opportunity to address the ever- increasing threat of data security breaches. TalkTalk is an example of a company whose business has been significantly impacted by two different types of security breaches – one technological (a cyber-attack) and the other organisational (individuals at its IT services company in India unlawfully accessed the details of customers). As well as incurring an initial fine of £400,000 in 2016 and a further £100,000 fine in 2017, the impact of data security breaches on TalkTalk’s reputation has been devastating.

GDPR compliance projects provide an ideal opportunity for businesses to review their cyber security measures (the technological measures referred to in the GDPR) and put in place pro- cesses and procedures (organisational measures under GDPR) to reduce the likelihood of breaches due to human error – according to market research more than half of data breaches arise from employees’ careless behaviour.

Outsourced processing is another area of risk and the GDPR mandates the use of contracts with outsourced data processors and stipulates a number of requirements that must be placed on processors via contracts. As data controllers, businesses will therefore be in a position to place clear obligations (including rights to audit) on processors.


One of the outcomes of a GDPR data audit is a clear picture of personal data, particularly as it relates to customers and prospects. By properly cleansing marketing databases, businesses have a golden opportunity to get rid of out-of-date and inaccurate data and to engage with customers who are genuinely interested in their brands and products. Consumers are increasingly aware of the value of their personal data to businesses and clear privacy policies will enhance customers’ confidence to share more of their personal data. Proper engagement under GDPR can often lead to an initial dramatic loss of data from a marketing database, however, a smaller but more engaged list of individuals who are truly inter- ested provides a strong customer base upon which to build brand loyalty.

Yes, there are time and cost implications to getting ready for the impact of the GDPR, but adopting a positive approach to GDPR compliance and to using personal data effectively will reduce risks and create an opportunity to improve customer engagement, trust, and satisfaction.

Joanna Boag-Thomson is a Partner at Shepherd and Wedderburn LLP.