GDPR Much ado about nothing or time to get your house in order?

In response to increasing uncertainty in both our customer community and the wider life science sector, the team at Formpipe Life Science recently set about setting the record straight on GDPR. 

Kicking off with an interactive presentation lead by Colin Swift, Product Owner, the first in a series of planned webinars on the topic promised to provide the 20+ online delegates with a concise overview of GDPR, the operational challenges the new legislation will provide and the opportunity for embracing GDPR compliance best practice with minimal risk and investment.

For those of you unfamiliar with GDPR, or General Data Protection Regulations to give it its proper name, here are some fast facts on the pending legislation:

• GDPR is being introduced in a bid to harmonise Data Protection laws across the EU. Already technically live and kicking, the transition period will end on 25^th May 2018, where new rules and regulations (and fines for failing to abide by them) will come into full force.
• GDPR will apply to any organisation that is a data controller and is either registered in the EU or has contact with EU nationals.
• A breach of GDPR can be accidental (perhaps as a result of a cyber attack) or due to poor internal practices.
• Fines are up to 4 per cent of worldwide turnover, or €20m
• High profile cases have already been published in the UK by the Information Commissioner’s Office (ICO).

Theoretical discussion only adds so much value so it’s important to bring GDPR to life by looking at current examples of how a failure to appropriately manage stakeholder data has resulted in serious repercussions for several businesses. These cautionary tales were discussed as part of the webinar to provide context - examples of seemingly innocent behaviours, common in multiple organisations, which in fact are in direct violation of the new legislation.

First up was FlyBe. The firm sent 70,000 emails to people who had clearly expressed a desire not to be contacted by the company. The fine? A whopping £70,000. Next up, Honda. The company sent 289,000 emails incorrectly to existing customers and was hit with a £13,000 fine. The third and final example was the supermarket giant, Morrisons. Found guilty of incorrect marketing use of emails, the company was hit with a fine of £10,500.

Once the horror stories were out of the way, it was time to take the bull by the horns, set the scene, and provide a best practice blueprint for effectively safeguarding GDPR. This involved imaginary characters and scenarios, so please bear with us! 

The 1st meeting – This Thing Called GDPR  

Gillian Green attends a weekly management meeting where the General Data Protection Regulations (GDPR) is an agenda item

In the meeting, Legal presents some disturbing GDPR facts:

• Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay
• Fines are up to 4% of annual turnover
• Last year's ICO fines would be 79 times higher under the new GDPR structure
• It takes effect on 25 May 2018

Compliance to GDPR is now on the corporate risk register and needs to be managed!

After the 1st meeting …. The Investigation

Knowing the “WHEN”, it is agreed that Oliver Orange – IT Manager – will conduct a further investigation of:

• Which areas of the business will be affected
• What systems and data need to be considered
• How the new regulation can be met on a day-to-day basis
• Identification of systems and process changes required to comply

The 2nd meeting – The Bad News

Oliver Orange reports back that:

• The legacy HR IT system is not compliant – the ‘Right to be Forgotten’ and Data Portability provisions of GDPR can’t be met
• An initial assessment of replacing the HR system is 3M GBP and will not be implemented in time for GDPR (no budget and too late)
• In addition, there are also files on HR shared drives which are relevant and need to be managed in a controlled manner

After the 2nd Meeting…. The Remediation Planning

• It is agreed that something needs to be done and the data needs to be controlled and quarantined, so it can be demonstrated that actions have been taken and an effort to comply has been made
• With this in mind, the following options are to be considered:

1. Migrating the data into the new HR system
2. Developing an in-house archive
3. Finding tools to support GDPR compliance

The 3rd Meeting…. The Better News

Each of the three options were investigated and the results are: 

1. Migrating the data into a new HR system – this option is deemed too risky based on the remaining timescale and only fixes known HR data issues
2. Developing an in-house archive – spare capacity does not exist in-house and the timescale makes this option too risky
3. Finding tools to support GDPR compliance – Several vendors were considered and Formpipe were selected as the preferred vendor to provide an Electronic Archive to hold legacy GDPR related data

After The 3rd Meeting…. The Remediation Process

It is agreed that the Formpipe solution will be employed and a project manager - Claire Coffee - is assigned to manage the implementation

1.) The shared drive files are targeted as a quick win and these files are ingested into Long Term Archive (LTA) using Formpipe's Lasernet input/output management tool

2.) With the GDPR compliance risk mitigated, it is decided to retire the legacy HR system within 12 months, which will save support costs for both the application and the legacy hardware it runs on

Ultimately, we came to the conclusion that there is no magic bullet for GDPR compliance. Technology alone isn’t capable of creating a totally risk-free set of processes for managing the associated compliance demands GDPR will bring. What it can do though is play a vital role in helping organisations, regardless of their size or perceived complexities, take more control of the data they manage and significantly reduce the risk of compliance failure, while reducing dependency on outdated, costly legacy systems. Organisational buy-in is also vital, as are robust internal processes and continuous monitoring of behaviours.

GDPR is by no means much ado about nothing or reason to panic but its significance shouldn’t be underestimated either.

For an informal chat about how Formpipe technology can help your organisation get its house in order, and get and stay compliant, contact Ben.Saxton@Formpipe.com or visit and read more about: