Sarah Armstrong-Smith, Fujitsu UK and Ireland. Image: Hume Brophy
Fujitsu’s Sarah Armstrong-Smith says people need to look past GDPR scaremongering.
Sarah Armstrong-Smith heads up the continuity and resilience department at Fujitsu UK and Ireland, and she has seen plenty of dramatic shifts in the working world during her career.
The major concern at present for many businesses – and, indeed, public bodies – is GDPR and the seemingly difficult road towards compliance.
For Armstrong-Smith, the key is to see GDPR in a positive light as opposed to viewing it as a frightening and insurmountable series of tasks.
“I think in general terms there’s a lot of scaremongering regarding the size of the penalties, and it’s panicking businesses. I would certainly look at the positives, how to differentiate the business, because obviously it’s something they have to do, so it’s about making the investment count and implementing good business management principles and processes.”
GDPR compliance as an opportunity, not a chore
She described GDPR as “a real opportunity” because if principles around minimisation of data are closely followed to achieve compliance, it can also mean companies can trim the fat in terms of getting rid of data they don’t require.
“There’s the benefits of then reducing the amount of infrastructure you need, the amount of storage, processing and overheads, so it’s actually a really good opportunity to have a good hard look not just at the data you’re collecting, but some of the processing that’s involved in that.”
There are windows for companies and organisations on the compliance journey to question the ethos of always having completed certain legacy business processes in traditional ways, with the potential to create new and efficient models.
Consumer trust is also a positive side effect of GDPR compliance, with Armstrong-Smith explaining that proof of compliance will become prized as the public becomes more data-literate. “Demonstrate that you are managing their data and doing the right thing, not just leaving data on a piece of paper lying around the office.”
In terms of how the general public is getting to grips with GDPR, she said that in general, data subjects are not as aware of their data rights as they could be. However, this will change, particularly regarding the rules tackling explicit consent in the regulations. “I think you will see a lot more detail in the privacy notices [on websites], which have to be in plain English.”
She added that people will become more empowered, and expects a spike in data access requests once the May deadline arrives.
Duty of care is crucial to keep in mind
The duty of care that companies and organisations have towards customers and those who use public services that require data should be paramount, according to Armstrong-Smith, who explained that it all boils down to “trust and transparency”. The cultural shift that will come with GDPR means that privacy concerns must be addressed, remedied or, ideally, prevented.
A pragmatic, sensible approach to GDPR compliance is the way to go, and it’s best to prioritise specifically to your organisation or company, even though it can be easy to get swept up in the atmosphere of panic, which she described as counter-productive. By pinpointing priorities, a clear plan can be created.
Public bodies carry a lot of responsibility
An area that is not often spoken about is the impact of GDPR on public services, which Armstrong-Smith was keen to underline, particularly in light of the WannaCry attack on the NHS earlier this year. Hospitals, state bodies, social care services and other public organisations need to prioritise the protection of the most vulnerable service users’ data.
She stated: “[Public bodies] must show they have understood the detrimental effect a breach may have on some of these individuals, taking steps to protect them first.” The assumption of trust in public services means that extra care needs to be taken by those responsible for continued compliance, she noted.
Armstrong-Smith concluded by saying that those who need to comply with GDPR should bear in mind that the entire process hinges on “doing the right thing” by consumers, service users and employees.
By examining data processes and prioritising key areas specific to each company or organisation, room is made to reap the benefits of good data practices that benefit us all.
