Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
4 June 2018

Pragmatism - the Light at the End of the Shadowy GDPR Tunnel

A few days on from the enforcement of the GDPR and the world hasn’t collapsed! Although there have been rumours of massive fines for the likes of Google and Facebook, there have not been confirmed cases as yet.

Due to the vagueness of the GDPR articles, accompanied with the vast scaremongering around significant fines, consent requirements and rapid data breach notification deadlines, there has been a GDPR panic as to the implications on business. Our advice has always been to take a pragmatic approach to meeting compliance tailored to the nature of the business. Organisations should be rational and ensure their main sources of data privacy risk are protected with higher security measures, whilst taking a more relaxed approach with lower risk areas.


Turnkey has been exhibiting at events either side of the GDPR effective date and it’s been interesting to compare notes with other exhibitors on how different companies have interpreted the legislation. The response has been very mixed, ranging from total blocking of all contacts known to be EU / UK entities to a completely unchanged approach to lead generation and prospecting activities. In some cases, organisations have tied themselves up in knots in their attempt to demonstrate total compliance with both the letter and spirit of the regulation.


We have made minor updates to our behaviours at conferences and events but not fundamental changes. We have been more discerning with the ‘scanning’ of delegates by qualifying the conversations to understand whether there is real value in taking down their contact details. We have also focussed on clarifying consent through the conversations and transparency of what the intended use is for the information. We recognise however, that making direct contact with new prospective customers and delivering quality content that is appropriate and relevant to them is fundamental to what we do as a growing business.


It is important to remember the regulation hasn’t been enforced to hinder business. Rather, it is to ensure organisations manage personal data more responsibly. Therefore, rather than impeding productivity, the GDPR should encourage organisations to develop their existing policies and procedures, cleanse data repositories and develop trust with their customers by demonstrating transparency with their data processing.


The GDPR is an evolution not a revolution. Many of the data privacy principles are unchanged from the 1998 Data Protection Act. Transparency, data minimisation, integrity and security of data processing are all principles that companies should already be doing under the previous Act. Further, many organisations should have strong data privacy policies and procedures in place, therefore organisations should seek to improve these existing policies rather than looking to start from scratch.


Although a source of great panic to many organisations, the GDPR effective date has been a very useful milestone to drive activities that could easily be missed. Certainly we have used the deadline as an opportunity to reinforce privacy considerations and to perform clean up actions that would otherwise have been easily put off.


Data Protection Authorities are not looking to catch organisations out. The focus of the GDPR is not the fines - it’s about shifting control back to the consumer. As long as companies can demonstrate adequate technical and organisational measures were taken to ensure data protection, the authorities will show leniency to non-compliance.


Going forward, organisations must take a realistic approach to implementing data privacy requirements under the GDPR. While authorities do have the power to inflict significant fines, their approach is to guide, help and educate organisations to achieve compliance. Companies should see the GDPR as an opportunity rather than a hamper, which will benefit both the organisation and individuals.


GDPR 9 point plan thumbnail