GDPR- `Data Protection with Teeth`- Vincenzo Ardilio Interview

By Sam Thomas | 7th July 2017 | 14 min read

We recently had pleasure to speak with IRIS` very own Data Protection officer Vincenzo Ardilio, in order to find out what the main challenges businesses might face when tackling the GDPR, what the role of a Data Protection Officer entails and finally, to find out how IRIS` own preparations are going for him.

                                                         1. Could you tell me a bit about yourself and your role in the company?

I’m Vincenzo Ardilio, I work as the Data Protection Officer for IRIS and have been in the role for roughly a year now. I’m helping to make sure IRIS is ready for the General Data Protection Regulation (GDPR). At the moment a lot of my time is spent on training and giving advice on data protection and information security.

2. Can you summarise what the GDPR is in one sentence?

`GDPR is data protection with teeth!`

3. What do you think the most challenging part of the legislation will be to UK businesses?

I believe the most challenging part will be demonstrating compliance by keeping records of the thought processes we all go through to make sure we’re using personal information responsibly. If there is a breach, we need to have the ability to demonstrate that we have taken that reasonable care.

4. What would you say to any businesses with hesitations committing to the GDPR due to Brexit?

It’s important that businesses accept that GDPR is going to happen despite Brexit. Also, we will probably have the Regulation in place for at least a year before we do actually leave the EU. Remember whichever data protection law does replace the GDPR in the UK, it will be very similar, because we had a lot of involvement in developing the GDPR legislation.

Finally, the fines that are present of up to €20million/4% annual turnover with non-compliance aren’t worth risking. So with less than a year remaining until the GDPR is enforced on 25th May 2018, now is the time to act to ensure that everything is in place.

5. What would you recommend as your first step in order to tackle GDPR to an SME?

The Regulation is so focused on transparency, and what businesses tell customers on how they are using their information. So I would advise data controllers to start by looking at the privacy explanations they give to customers and data subjects they are responsible for and checking they are telling customers everything they need to. They might find there are things they should be telling the data subjects that they don’t know – so it’s a good starting point to work backwards, identifying any potential gaps and filling them in.

6. What main differences will a smaller business face compared to a larger organisation?

Larger organisation are probably used to having to comply with lots of rules and regulations, so the likelihood is that they will have a head start on the GDPR. So with a smaller business they will need to sit down and examine whether they process any personal data and examine what they are doing with it. I don’t think they will need to go as far as a larger organisation but they still need to sit down and have a look at what they are doing and demonstrate due diligence to show that they are being responsible when handling personal data.

7. What was your main challenge when taking on the role as the IRIS DPO?

The same challenge for any new data protection officer starting at a new organisation: the first priority is getting an understanding of what the company does with personal data, understanding the structure of the company and the lines of responsibility for data processing – as well as where the higher risks may be. That isn’t as easy as you might think!

8. What advice would you give to anybody taking on the role as the DPO?

I would look at what the GDPR says about the role of a Data Protection Officer and then decide if they have the got right reporting lines in place and the right resources they need to do the job effectively. Get data protection on the risk register to make sure the top management are aware of their responsibilities and how data protection will affect the company.

Also, keep a record of all the advice they give and try and get training and awareness in place as soon as possible. Some organisations are more mature than others but whatever stage they’re at, a big challenge is changing people’s behaviours and the way they handle data and helping them to understand that data protection can no longer be considered a box-ticking exercise

9. How are you currently preparing for the big date?

At IRIS we are carrying out GAP analysis of our products to see what we need to do to get them ready for the GDPR. We’re also mapping out our data flows for our hosting solutions, and we are carrying out risk assessments, so we are already well along the road to having our products ready for the big date

10. What are IRIS’ main challenges in terms of GDPR?

The Information Commissioner says that it’s the duty of all businesses to understand the risks we are creating for our customers and clients by the way we use their personal data So, like any organisation, we need to keep our eyes open, especially for new and emerging risks.

We know we have a massive responsibility as a data processer and we must make sure that translates into everyone taking personal responsibility for data protection – our customers’ reputations are in our hands!

11. When would you recommended for businesses to start making preparations for GDPR?

Well, they should have started already so if they haven’t started, start now because already it’s less than a year to go now and they might have a lot of work to do to get ready!

12. Why would attending a GDPR Training course help companies start their preparations for GDPR?

It will help them to know where they stand, what has changed, and if they weren’t aware of Data Protection before it will give them a good introduction to their GDPR responsibilities. Small businesses are still subject to the fines and enforcements that face the big corporates so they need to act as soon as possible. So even though they may not need to go to the same lengths as a large organisation, they should at least be aware of GDPR and decide on what parts they need to comply on.

13. Is there anything else that IRIS is doing to help businesses comply with the GDPR?

We have been carrying out a thorough assessment of our products and putting in extra features where we can, to make sure our customers are able to comply with people’s rights when they apply for them. We are just doing all we can to ensure our customers have everything they need to comply with their new responsibilities

13. Why should businesses comply with the GDPR regulation?

It’s not going to go away. I believe this is a new age of compliance and accountability. Any organisation can choose not to comply but there are huge risks for that choice. But apart from that, data protection just makes good business sense, because if customers feel like they are being treated with respect that you are being open and honest with them, they will trust you and then they’re much more likely to use the product or service you provide.

What Next?


An introduction to General Data Protection Regulation

Learn how GDPR may affect you as a data controller and what you can do now to prepare!

Who is the course for?

This course is suitable for anyone who employs individuals or offers services to citizens in the EU. The course aims to highlight the key issues that might affect you as a business and to help you understand the next steps for your business. This may include seeking legal advice and getting more information for your managers across your business.

COST: £195 + VAT

Dates and times: Call us for the latest availability

Give us a call on 0344 815 5656 or email to find out how GDPR training can benefit you and your business.

For more information, click below.

Click Here