Insights from GDPR Bootcamp

01.04.18 | By Kim Zoetbrood

Recently, Polaris participated in CBI’s General Data Protection Regulation, or GDPR, Bootcamp in London. The conference focused on one important topic: the upcoming GDPR regulation for the European Union that goes into effect on the 25th of May 2018.

GDPR has sweeping repercussions not only for companies located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

The goal of this regulation is to bring more security to the use and processing of personal data. The regulation defines and clarifies the differences between data controllers and data processors. Data controllers need to define the purpose and means of processing the data, whereas processors should act within the established instructions from the data controllers. Hence, data controllers are responsible and liable for the actions performed by the processors. GDPR makes it possible to fine data controllers up to 4% of the global turnover, a sum that could equal as much as €20 million. That would be the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines (i.e. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment). It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

It is therefore not surprising that Bootcamp attendees were heavily involved in the various discussions on how to tackle this new regulation. The conference was intimate in scale, with about 50 attendees, allowing for a lot of quality interaction between the speakers and the audience. Legal counsel, European Union committee members, Life Sciences company representatives and software and service vendors were all in attendance.  The format consisted of a mixture of panel discussions and presentations, ranging from professionals sharing their firm’s experiences to lawyers analyzing the regulation.

Many companies were looking for, or sharing, ways to get started on a GDPR plan. There was overall agreement that external consultants can greatly support companies’ efforts, but that a vast majority of the work really needs to come from inside the business.

Attendees agreed that the starting point should be a risk assessment to indicate which areas are critical. The most sensitive data, such as private address, id numbers, financial and health data, presents the highest risk. Bootcamp participants indicated they have accepted that they cannot be 100% compliant by May, and believe the Life Sciences industry is not the main target for GDPR enforcers.

The most common takeaway seemed to be that communication and understanding around GDPR is minimal, and that companies are struggling with the content and timelines of the regulation.

92% of attendees indicated that GDPR is a top priority. However, conference surveys and sessions revealed that the level of readiness is extremely low, with only 1 in 20 companies declaring that they are prepared. Half of the attendees said that their firm was between 50 – 60% prepared and internally aligned for the GDPR.

Are you ready for GDPR? From conducting risk assessments and crafting SOPs to cutting edge technology, Polaris’ experts can ensure that your organization is prepared for GDPR. Our eConsent tool effectively helps manage consent, and our Global Compliance Platform (GCP), delivers complete workflow management, data capture, spend tracking and reporting of all HCP/O payments and transfers of value in a single online platform. To learn more about Polaris and all our solutions, visit Read more about the specific provisions of the regulation here.