Technology insight
On 27 June, the CIPP held the first of a series of roundtables to discuss the implications for the industry of the impending implementation of the European Union General Data Protection Regulation (GDPR). The roundtable was held in the CIPP’s boardroom at Goldfinger House, Solihull GDPR roundtable report
Participants Noreen Begg, Omni Cyber Security Nick Carlson , interim Associate Director of Marketing, CIPP (covering Vickie Graham on maternity leave) Andy Collins , managing director, Omni Cyber Security Suzanne Gallagher, head of operations for the payroll bureau, Armstrong Watson Simon Garrity , business development manager and sales manager, CIPP Elaine Gibson , educational director, CIPP Julie Lock , service development director, MHR Mike Nicholas , editor, Professional in Payroll, Pensions and Reward Ken Pullar, chief executive officer, CIPP Jacqueline Raison , company secretary, SD Worx UK Graeme Walker, HCM compliance product manager, Advanced Computer Software Claire Wright, quality and data protection officer, MHR Ken opened the discussions explaining why the CIPP was holding the roundtable. Following introductions, the attendees explained their role in data protection issues for their employer and clients, and their concerns about the GDPR, and set out their hopes and aims going forward from this initial meeting. Graeme Walker explained that ACS have many different products and we’re looking at how GDPR affects them. We need to see what we have to do, how much responsibility lies with us, the software supplier, and how much with the customer. There’s not a lot out there relating to the software company, most of it is about the customer. Julie said that the big part of what we
need to do is somehow help, educate, nurture and direct organisations to GDPR readiness. MHR did a survey to understand GDPR readiness within our client base and on the back of that picked the phone up to the CIPP. We’re happy to share all the results because there is a big problem around the corner and we need just make people aware. Claire observed that data privacy is not a regulated industry, so it’s not taken seriously. MHR needs to understand what GDPR means to their product but, more clearly, as a controller or a processor, what are our responsibilities. That’s something we’re working with the Information Commissioner’s Office (ICO) on as well, to seek some more clarification. And obviously to ensure MHR are compliant as well, so responsible for our policies, procedure and processes. Andy Collins explained that though there are some additional responsibilities under GDPR companies that already have good data protection policies and procedures in place now are not a million miles away from the GDPR requirements. Organisations must start somewhere with this and it’s going to be an ongoing process but if they can get to a point where, in my view, they’ve satisfied the outlines of the standard then, I think, they’re in a better place than most. Noreen revealed her technical background, having diverted to compliance. Quite a few customers are enquiring about GDPR. Suzanne said that with 1,500 payrolls GDPR is a real headache for her and some clarity would be welcome. It’s a case of what does this mean to my day to day operations within the bureau. I almost need a set of guidelines and rules that if I