Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
15 November 2017

Is hiring an SAP contractor your only option?

With GDPR looming on the horizon, it is time to take a closer look at how organisations can adapt privacy requirements and business operations well in advance of the regulation coming into effect in May 2018.

If you would like to read the previous blog, please click here for Part 1


Privacy by design
A key to the success (or not) of organisations becoming GDPR compliant will be how well privacy requirements are integrated into business culture.  While there are many similarities between the ‘old’ paper-based and ‘new’ digital worlds, there are also huge disparities.

Most companies already have some form of data privacy structure, which can be used to gauge the additional work that needs to be undertaken. Frameworks in which infosec principles are embedded, and where the focus is on building relationships and developing trust will also be essential.


What are people worried about when considering privacy by design?

  • People don’t follow rules, clicking on email attachments for example that can put compliance at risk because they contain non-compliant data.
  • The Data Protection Impact Assessment (DPIA) is a new requirement to identify and resolve any privacy related risks. Incorporating it into business policies with GDPR is an option, but there is a danger of over-complicating the issue.

Lessons learned to date:

  • Everyone needs to be educated to ensure they understand both the overall implications of GDPR for the organisation, and the specifics of how it relates to their project(s).


Business operations
The marketing sector will be hard-hit by GDPR, depending as it does on personal data for online targeting.  While it argues that this data enables the delivery of highly personalised and relevant communications, along with benefit such as offers and discounts, some consumers will welcome not receiving these messages.

Similarly, as referenced above, spreadsheets with business contacts are the backbone of many business development activities.

Some organisations already operate strict privacy processes, scanning all outgoing email and deleting company confidential information from all devices before foreign travel for example, many will struggle with the stringent new rules – and the current lack of clarity.

What are people worried about when considering the impact of GDPR on business operations?

  • Data protection is subjective; what is right for one organisation may be unworkable for another.
  • Much of today’s marketing activity deploys automated decision-making. Explaining the algorithm behind these will be challenging.

 Lessons learned to date:

  • There is a generation gap; younger people are more comfortable sharing personal information, particularly in order to get something (often content) for ‘free’. However, it is questionable how well they understand privacy.



The general consensus was that non-compliance is unlikely to be met with the full 4% fine, although it seems likely that examples will be made of bigger businesses; high fines will be intended to get peoples’ attention and show what should be done to meet GDPR requirements.


What we know so far

Despite the current lack of clarity on what GDPR will mean for organisations, it is possible to make some recommendations based on the observations and experiences of our attendees:

  • The first step for any organisation will be to understand what personal data they hold, where, why and for how long. A data audit to gather this information is a task not to be underestimated but a critical starting point.
  • The burden of the GDPR will depend on the data maturity of each organisation. Most companies have some form of data privacy policy; this can be used as a basis for future compliance efforts.
  • Even with policies in place, people often don’t follow rules, clicking on unidentified attachments, for example, despite knowing this is risky. Part of the compliance solution is to undertake training and awareness throughout the organisation. This is particularly important at board level – the ‘tone as the top’ with respect to data protection and the importance of compliance is critical.
  • Existing processes for security impact assessments can be re-used as a foundation for the Privacy Impact Assessment (PIA) requirement under GDPR.
  • The business element of GDPR compliance is more difficult than the IT part. The process, which may be set by a lawyer, needs intellectual input that is sensible and provides context and perspective. Collaboration between legal, IT, compliance and risk management teams is key here.

Whilst the stage of GDPR preparations and preferred approach varied across the organisations attending our roundtable there was consensus on at least one thing – now is the time to take GDPR seriously and to make tangible steps towards compliance.


This article first appeared in E-3 Magazine. To read the original article click here.