IT Leaders Forum gets to grip with GDPR

02 February 2018

by Tom Pulling, director and GDPR specialist

We’ve been holding regular IT leaders forums in Aberdeen through 2017 and, building on this success, are already planning a packed programme for the year ahead.

During these sessions, we try to offer insights. But more importantly we want to facilitate an open discussion for the attendees, one that helps encourage knowledge sharing and stronger networks between peers.

Naturally, we are always trying to understand what attendees want to talk about at the next event and the overwhelming feedback from the last one was: GDPR. So if you are in Aberdeen on 6th February 2018, come and join the session which I’ll be leading.  

The impact of regulations like GDPR have the potential to raise security even further up the agenda. This was noted in our Global CEO survey, which was launched at the World Economic Forum in Davos in January. We asked 1,293 business leaders to identify threats to their business’s growth and found that cyber threats’ had jumped up to 4th place (from 10th in the previous year), just behind over-regulation, terrorism and geopolitical uncertainty.   

We know that larger oil and gas organisations, particularly the majors and tier one supply chain companies, are already aware of regulations like GDPR and the impacts of breaches. But what about smaller organisations?

The Department for Digital, Culture, Media and Sport recently published results from their 2018 Cyber Security Breaches survey. In particular they look at preparations for the new Data Protection Act with the full results of the survey due to be published in April 2018. The headline figures make interesting reading, but as always, the fine print is where the real dangers and issues lie.

The survey reported that overall, only 38% of businesses surveyed had heard of the GDPR.  Digging into the report, this is largely as a result of the smaller businesses that were questioned. Not surprisingly, larger companies (those with over 250 staff), saw rates of awareness at 80%. And of the organisations that had heard of the GDPR, around 27% were making changes in advance of the regulations coming into effect (again, the survey found that the larger the organisation, the more likely they were to be making changes). The report highlighted that most of the changes being implemented were around updates to policies and processes, though staff training initiatives and system implementations also figured highly.

At the last IT leaders event in Aberdeen we mentioned that PwC had released the 2018 GSISS (Global State of Information Security Survey) results.  This survey runs annually  with the latest polling over 9,500 senior staff in 122 countries across 75 industry sectors.  About a third of the O&G clients who participated report have put their GDPR plans in place, ahead of the 18.5% in the global O&G community and 13.6% of the total sample. However, only 44% of UK O&G respondents reported having an executive with responsibility for privacy compliance, behind 65% reported by the wider O&G community and total sample.

It also found that 56% of firms require staff to complete privacy policy/practices training, ahead of c.40% of O&G peers (and just nudging ahead of the 53% for the total population).  

An approximate 40% reported they had an accurate inventory of personal data for employees and customers; this is aligned to the wider O&G community but falls behind the 51% reported across the full sample. Having this in place is an important first step to effectively preparing for the new regulations.

Interestingly, whilst focus on privacy education seems to be ahead of the curve, employee security awareness training is lagging at around 30% adoption, compared to peer O&G average of 40% and global average of 50%.

From conversations at the IT leaders forum in Aberdeen, this is remains a challenge and one we will be talking about at a future event with one of our specialists on culture and awareness!

The GSISS results for O&G businesses in the UK came from large organisations. But, regardless of size, businesses need to be thinking about the potential impact of GDPR. After all, this changes the risk - from reputational to financial - that businesses that hold or process personally identifiable information face. The data from the surveys is encouraging in parts, but some organisations are only now starting to look at their GDPR readiness; and with the implementation deadline looming they are feeling an uncomfortable level of pressure to get onto the front foot.

So, what do you think?  Have you got GDPR under control, where have you been focusing your efforts?  If you are coming along to our event in February we look forward to hearing your views and what you are doing about GDPR.

If you interested in joining the event on 6 February - and also finding out about upcoming events, contact my colleague, Thomas Bruch via email - [email protected].- and we’ll be in touch.



Thomas Pulling

PwC | Director

Mobile: +44 (0) 7710 036196

Email: [email protected]



The comments to this entry are closed.