General Data Protection Regulation (GDPR) and Cyber Risk

Published on Friday 1st of July, 2016

By Chrissie Davis

I bridge the gap between corporate and creative, helping clients save time and costs, gain added value through knowledge and insight, and deliver more considered outcomes.

Find out more about Chrissie on LinkedIn.

I recently attended a WIN event hosted by law firm, DLA Piper. It covered the topical changes concerning data protection and took a hands-on approach to expressing the realities of cyber risk.

The first session covered the imminent changes as a result of the General Data Protection Regulation (GDPR). It’s taken over three years of planning and discussion, but we now have an agreed EU data protection framework. The GDPR will replace the current Directive and will be directly applicable in all Member States. It’s likely to come into force in May 2018, but given there is substantial change, companies are already looking to overhaul their processes and procedures to make sure all data processing activities are compliant when it comes into force. For background information about the GDPR, key changes and actions to take, see DLA Piper’s dedicated GDPR microsite.  

This was followed by an insightful session presented by a digital forensics and incident response expert, covering a view of the current cyber breach landscape and a case study of a recent breach. It demonstrated how to execute an effective communications plan for a cyber crisis.

The final session was ‘experiencing a breach’, which was an interactive facilitated case study. This encouraged teams of legal minds to think about the bigger picture when tackling and handling a live cyber breach. This involved considering a breach from various perspectives:

  • Risk management
  • Governance
  • Legal
  • PR

It became evident that there is a delicate balance to managing internal investigations, reporting requirements and stakeholder interests. Therefore, having a data breach strategy, to include pre-prepared communications is vital. 


Are you ready?

There may be further amendments and only once this process is complete will the two-year period run before the GDPR will come into force. Companies are beginning the process of moving towards compliance as many of the obligations will take time to integrate.


As part of this process the following needs to be carried out:

  • An impact assessment against the specific business activities to identify necessary changes
  • An action plan that has steps to implement these changes
  • A communication plan to help raise awareness of the changes across the employee base and supply chain to ensure best practice and compliance. This will cover introductory overviews that then build towards the enforcement date and re-enforcers thereafter.


Brexit and its affect on the GDPR

The GDPR comes into force in 2018, so depending on the precise timing of withdrawal from the EU, the GDPR may not apply to the UK and, if it does initially apply, it will then cease to do so. The UK Information Commissioner has made it clear that he expects standards equivalent to the GDPR to be applied in the UK post-Brexit to enable businesses to transfer their data between the UK and the EU in the ordinary course of business. Brexit is therefore unlikely to make a material difference to how employers plan for the GDPR.


We are ready

We can assist you with planning, the creative, implementation and review of a communications strategy. The GDPR will also affect current policies and guidance notes in place so these will need to be reviewed, and updated from technical and creative perspectives.


Helpful resource:


WIN events are set up to help in-house lawyers keep up to date with legal developments and network with peers. They also provide superb sessions that look to develop soft-skills needed to be an effective in-house lawyer. For more details:

Liked this article? why not share it?

Related Articles