GDPR one year on: It’s about doing the right thing!

Like all companies, GCI has been working within the new GDPR regime for almost a year now… and as the 1-year anniversary of its launch approaches, we thought it an opportune time to look at how the past 12 months have gone - lessons learnt, processes improved, security provisions refined, and more…

22 May 2019

So, what have we seen over the past year, what impact has it had on our business, our customers and our industry?

Enhancing standards

First and foremost, we have seen a lot of activity focussed on understanding what GDPR means in practical terms and translating this into ‘business as usual’ activity. We have received a number of subject access requests, i.e. individuals wanting to exercise their rights under GDPR. We have also seen a lot of interest in how we as a Data Processor are ensuring the security and privacy of our customer’s personal information. This has been either through specific questionnaires or site audits.

In order to provide the necessary assurance to our customers, a decision was taken very early on to adopt the requirements of best practice standards wherever possible. GCI is already heavily certificated in terms of standards such as ISO27001:2013, and we see the value of working to these requirements every day. These include:

  • Keeping confidential information secure
  • Providing confidence in how we manage risk
  • Allowing for the secure exchange of information
  • Enhancing customer satisfaction and retention
  • Delivering a consistency of service
  • Building a culture of security
  • Protecting company stakeholders, assets and reputation.

Doing the right thing

Our ethos as a business is to “do the right thing”. Our focus is not on chasing certificates or box ticking, which in many businesses often results in policies being written solely with auditors in mind. Our focus is on the business and its people, our customers and their people, which aspires to always deliver the highest level of value in terms of approach, execution and peace of mind. Certification with this approach almost takes care of itself and becomes a by-product, not the overriding outcome of ISO related work.

From the outset of GDPR we therefore took the decision to embed and integrate personal information management with our overall Business Management System, so that it is owned by our employees. We do this through GDPR training across the company. This is supported by specific training with appointed Data Protection Representatives within the operational areas of the business, who act as an extended network to support our Data Protection Officer.

Over and above legal requirements

We’ve also taken the decision to work to a recognised personal information management system standard. In our case this was BS10012.

In this sense we are going over and above standard legal compliance to ensure GDPR is effectively embedded and integrated in our day-to-day working processes to a recognised standard. This approach also allows us to integrate with the other standards - such as ISO and PCI DSS - that we already have. Which means we can deal with a number of commonalities such as integrated risk management and auditing. Another practical example of this is that PCI DSS is designed to secure Cardholder Data which is also classed as personal information under GDPR. Our integrated approach enables a much more effective strategy and reduced duplication of effort. This has obvious payoffs in terms of time and cost savings for the business, which can all add to the bottom line.

This approach also drives continual improvement so that we are always looking at how we can improve our approach to managing not only our own personal information, but that of our customers. By integrating with our overall Business Management System, it also means we don’t have a siloed approach to information management. Whilst there are specific GDPR requirements that we need to follow, we apply consistent governance that meets best practice standards, whether we’re processing personal information or not.

In summary, all companies must comply with GDPR, but by adopting an integrated approach and working to recognised standards, we can deliver this effectively, whilst giving the necessary assurances our customers require… Therefore “doing the right thing”.

2019 provides an opportunity to take a fresh look at compliance without any impending deadlines, and with the benefit of better developed industry standard approaches. Join GCI PCI compliance experts for an exclusive webinar on 25th June when we will explore the current PCI DSS landscape and the direction your organisation should be heading… Or simply want to know more? Visit our PCI Compliance page or email us at to book a complimentary PCI consultation.

Tony Edwards - Director of Business Effectiveness & DPO, and
Phil Slingsby - Head of Governance, Standards & Assurance

Share on Social Media

GDPR Product Sheet

With so much data held in the Cloud and moving through Enterprise, partner and customer networks, it is much harder for organisations to implement systems that will enable them to identify, protect and erase personally identifiable information on request.



Contact us to see what we can do for you

By submitting this form you agree to our GDPR Marketing Privacy notice. You have the ability to opt out at your discretion.