Global data expert: Companies should pay more attention to technology in their preparation for the GDPR

The GDPR is right around the corner, but are companies doing a good enough job preparing for it?

According to one data and legal expert, the answer is no.

Companies should focus much more on the technology side of their preparation for the GDPR.

That is the word from Stewart Room, global lead cyber security and data legal protection services af PwC, who spoke to attendees at the IP Expo Europe 2017 in London. has got the story.

If you do not focus on the technology stack over the next seven months, and you are responsible for a GDPR programme, you know where the pain is coming from,

Stewart Room told attendees at the major IT event that took place in London in early october.

Build to fail

According to the top legal advisor, there is an element of the GDPR that is almost build so that companies will struggle to reach compliance.

Core principles of the GDPR are based on the assumption that companies are much further ahead in their data efforts than they actually are. For example, many companies are still just learning how to implement data mapping exercises in their organisational structure, but according to Stewart Room, the GDPR is based on the premise that companies have long since got this figured out.

When the GDPR was first published in 2012, the lawmakers assumed that the gap that we needed to travel in order to make our organisations fit for purpose might be somewhere between a two- to four-year journey, but the fact that so many are still busy with data mapping exercises tells us that the gap is substantially greater,

Stewart Room explained via 

The top legal advisor added that many organisations are in a much worse position to reach compliance than the worst expectations of the GDPR lawmakers.

The lawmakers assumed the GDPR would be deliverable, but the evidence of the economy is something totally different.

Focus on technology

So, if the GDPR is too far ahead, what are companies supposed to do?

According to Stewart Room, part of the solution might be for companies to focus more of their efforts on the technological side of things. As he explained to the attendees, companies in need of an organisational transformation need to change paper, change people and change technology. The final aspect of that trinity might have been neglected so far.

However, we are seeing a massive amount of effort focusing on the paper – the creation of paper, while very, very few GDPR programmes are making their way into the technology stack in any meaningful sense.

Stewart Room thinks that companies need to focus more on technology in their preparation.

The great irony of this is that data protection law exists only because of a fear of technology and the threat that that poses to citizen and human rights.

But while technology is the threat, it is also the solution, which is why the GDPR requires the implementation of ‘appropriate technical and organisational measures’ across the entire landscape of your business.


The GDPR will come into force on 25 May 2018.