Information Commissioner Elizabeth Denham’s opening speech at the recent 2019 Data Protection Practitioners’ Conference stated that despite the GDPR having become law 10 months ago, companies still think of GDPR compliance as a box-ticking exercise, rather than a requirement to demonstrate how their data is being used. “ It (GDPR law) reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after”.

She continued by suggesting that part of the issue is because businesses haven’t embraced data protection as something that needs to be embedded into an organisation’s culture “It (GDPR) formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. …. But I’ll be honest, I don’t see that change in practice yet.”

And I have to say, I agree, I recently wrote an article on the 5 most common mistakes I see when helping businesses comply with GDPR; Often at the heart of the issue is the fact that not everyone sees it as part of their job. Much like health and safety in the workplace a few years ago, the cultural shift was from the task of compliance being given to specific people, to everybody having a part to play, and GDPR is undergoing a similar transition: From the regional marketing manager to the sales representative to the procurement team, GDPR something that businesses need to have many people throughout their organisation understand the requirements and take responsibility for customer data.

To engrain data protection in the culture of the business, management need to communicate the importance of GDPR and this needs to be supported by training to ensure it is a business skill that many staff understand.

With the UK government recently stating its intent that GDPR will effectively be embedded into UK law, demonstrating the same intent as their EU counterparts;

“The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.” It is clear that compliance is not going away with Brexit – in fact EU-based organisations holding UK customer data and vice versa will have to undertake additional work to comply.

Unfortunately, as with Health and Safety, governments used a carrot and stick approach to ensure compliance, we have already seen some high profile sticks surrounding breaches, but it will be when more companies are in the spotlight for failing to demonstrate their procedures to customers that we will see a groundswell of focus from SME’s.

So despite GDPR not far from celebrating its first birthday many companies still need a new mindset, need to ask the difficult questions of their own procedures and need to be clearer with customers about what they actually do with their data.

As Elizabeth Denham suggested, the law is asking more to demonstrate that we are looking and communicating through a customers lens.

Gail Chalmin of Chalmin Data Privacy and has years of experience in helping businesses comply with data protection issues. For more information visit