How can companies comply with 2018 GDPR

regulation while earning benefits?



By Etienne Plassard

SKEMA Business School

Lille, France




As a reaction to the General Data Protection Regulation (GDPR) implemented on May 25th of 2018, companies seek compliance and better data privacy management. Besides, lots of them are still struggling with processes implementation. This paper aims at offering concrete solutions to start and improve their overall GDPR compliance while earning benefits and saving costs. This study will answer the following research questions: how to deal with data-privacy contract management, how to manage data efficiently, and how to mitigate risks related to data breaches. The research method used to evaluate the different solutions is the additive weighting technique based on a compensation model. We will find that the four best alternatives must be combined to ensure significant GDPR compliancy and benefits. Thus, adopting a performant contract management system and having a strong breach identification is necessary, as well as using the Agile methodology to implement change.

Keywords:     Cash Flows, Data, Protection, GDPR, Compliance, Risk Mitigation, Storage, Breaches, Cybersecurity, CMS, Anonymization


Do you think it is normal that today, only one in five companies surveyed believe they are GDPR compliant?  This famous agreement on data protection implemented since May 25th of 2018 reveals not to be respected by a wide majority of US and European companies.[1]

The problem is complex for many reasons: “GDPR’s scope is far more comprehensive and wide-reaching, meaning businesses will need to amend their data protection policies accordingly”, says a Virtual College study.[2] There are way more clauses to comply with than the previous 1995 DPA and the volume of data concerned is tremendous for big corporations. It represents also a deep shift in people ways of working, as well as huge IT organizational and process changes. In parallel, data privacy stakes are rising: the Ponemone Institute found increasing data breaches in frequency (33% in 2013 and 43% in 2014)[3] while Verizon confirmed 53,000 incidents and 2,216 confirmed data breaches in 2018[4]. On top of that, the legal part remains the major concern of GDPR, however, it is also a question of freedom, respect, and dignity of the people[5].

One can realize all these major changes cannot be implemented once and for all, even more on a short-time period. In this study, we will develop actions and processes companies can use to tend to full GDPR compliancy while earning benefits at the same time. It is something very progressive companies must work on because it targets not only data management but also change and risk management. On top of that, this very wide project must be seen as a long-term process to put in parallel with a global better data privacy management. According to Daniel Mintz, “All businesses housing large volumes of data are faced with a dilemma: figuring out which data to keep and ensuring that data that is kept is secure”.[6] Indeed, these structures are at the edge of transformation and integration solutions that help their clients managing their databases. We will narrow the study to EU and US companies that can afford the solutions furtherly approached, starting from medium-sized companies up to corporations.

In this study, we will enlighten three major issues companies must face and their related solutions. First, data-related contract management becomes a nightmare when it comes to checking on every clause. Identifying the data nature and stakeholders concerned is the first step to a long process, not to mention US and EU differences and opening clauses that “permit a Member State to modify the provisions of the Article” for a “more restrictive application of the GDPR obligation via local legislation.”[7] In parallel, companies must tackle data issues such as increasing data volume and relevancy. For example, “you may need to appoint a data protection officer (DPO), depending on the types of processing your company conducts”[8], to tackle daily and long-term data privacy purposes. Launching data minimization and anonymization processes should reduce sensitive data ownership because according to Recital 26 of GDPR, “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”[9]. Thus, the ability to use this kind of data can help companies improve their customers’ experience, or simply be a new source of profit.[10] The last big issue is about incident and breaches. How to deal with them? It starts with a complete protection and prevention program: breach identification is necessary, as well as a permanent cybersecurity control through bounty programs for example. Because risks cannot be all avoided, companies must have solid and very-well processed incident response plans to anticipate costs, resources and decisions related to every possible breach situation[11].


To read entire paper, click here


Editor’s note: Student papers are authored by graduate or undergraduate students based on coursework at accredited universities or training programs.  This paper was prepared as a deliverable for the course “International Contract Management” facilitated by Dr Paul D. Giammalvo of PT Mitratata Citragraha, Jakarta, Indonesia as an Adjunct Professor under contract to SKEMA Business School for the program Master of Science in Project and Programme Management and Business Development.  http://www.skema.edu/programmes/masters-of-science. For more information on this global program (Lille and Paris in France; Belo Horizonte in Brazil), contact Dr Paul Gardiner, Global Programme Director paul.gardiner@skema.edu.

How to cite this paper: Plassard, E. (2019). How can companies comply with 2018 GDPR regulation while earning benefits? PM World Journal, Vol. VIII, Issue VII, August.  Available online at https://pmworldlibrary.net/wp-content/uploads/2019/08/pmwj84-Aug2019-Plassard-compliance-with-GDPR-while-earning-benefits.pdf



About the Author

Etienne Plassard

Paris, France




Etienne Plassard is a Master 2 graduate student in Project Management with one year of professional experience in recruitment and project management. Born in Côte d’Or in France, he studied mathematics, geography and economy in France, and then entered SKEMA Business School in Lille, France. He studied capital markets and accountability in Canada for 6 months, and then went to Brazil to study project management. He has been accredited PRINCE2 and AgilePM in December 2018. He is currently working for a consulting firm as a Business technology & integration consultant in Paris. He is publishing his first Student Paper under the tutorage of Dr Paul D. Giammalvo, CDT, CCE (#1240), MScPM, MRICS, Senior Technical Advisor (Project Management) to PT Mitratata Citragraha. (PTMC), Jakarta, Indonesia.

Etienne lives in Paris, France and can be contacted at etienne.plassard@hotmail.fr


[1] Edward Gately, 80 Percent of Companies Still Not GDPR-Compliant (2018, July). Retrieved from: https://www.channelpartnersonline.com/2018/07/13/80-percent-of-companies-still-not-gdpr-compliant/

[2] What are the main differences between the GDPR and the Data Protection Act? Conducted by Virtual College (2018, January). Retrieved from: https://www.virtual-college.co.uk/news/virtual-college/2018/01/the-differences-between-gdpr-and-data-protection

[3] Is Your Company Ready for a Big Data Breach? Conducted by Ponemon Institute (2013, April) Retrieved from http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf

[4] 2018 Data Breach Investigations Report, 11th edition, conducted by Verizon (2018). Retrieved from: http://www.documentwereld.nl/files/2018/Verizon-DBIR_2018-Main_report.pdf

[5] Laxmi Sharma, GDPR: After 25th May, What Medium And Long-Term Actions? (2018, June). Retrieved from: https://www.smartdatacollective.com/gdpr-25th-what-medium-long-term-actions/

[6] Daniel Mintz, The Road to Becoming GDPR Compliant Leads to Log Term Success, (2018, October). Retrieved from: http://www.dataversity.net/road-becoming-gdpr-compliant-leads-long-term-success/

[7] John Tomaszewski, “Opening Clauses” in the GDPR – It Might Not Be As Easy As We Thought (2017, July). Retrieved from: https://www.globalprivacywatch.com/2017/07/opening-clauses-and-the-gdpr-it-might-not-be-as-easy-as-we-thought/

[8] Lei Shen, Rebecca Eisner, Updating Your Vendor Agreements to Comply With GDPR (2017, March). Retrieved from: https://iapp.org/news/a/updating-your-vendor-agreements-to-comply-with-gdpr/

[9] Recital 26 EU GPDR, (2018, September). Retrieved from: http://www.privacy-regulation.eu/en/recital-26-GDPR.htm

[10] How To Monetize Your Data? produced by Lotame (2018, February). Retrieved from: https://www.lotame.com/how-to-monetize-your-data/

[11] Elizabeth Kemery Sipes, Bryan Cave, Joshua James, Current data security issues for financial services firms (n.d). Retrieved from: https://www-emeraldinsight-com.ezp.skema.edu/doi/full/10.1108/JOIC-07-2016-0034