1.
GDPR: A Threat or Opportunity?
www.normanbroadbent.com

2.
Introduction
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies
from May 2018, there have been numerous articles written either demonstrating the
confusion surrounding the new regulations, or detailing the downsides of the legislation.
AswithanynewEuropeaninitiativetherewillbegreyareasandshorttermhurdlestoovercome.
But NB:Solutions believes these regulatory changes could offer long-term opportunities to
those firms which are patient, resourceful and committed to seeking them out.
Putting to one side the human, technology and process complexities, let us remind ourselves
of what the new GDPR regulatory landscape looks like;
• Heavy fines of up to €20 million or 4% of a company’s global annual turnover for non-
compliance
• Data ownership now sits with the citizen
• Explicit consent is required from the citizen
• Companies need to know what personal data they have and how it is being used
• Every company will need to appoint a designated Data Protection Officer
As specialists in the field of Talent Acquisition & Advisory Services, NB:Solutions regularly
meet technology and data leaders in Fortune 500, FTSE 100 and Tier One Consultancies. With
the introduction of GDPR we have asked two simple questions of our clients;
• What are the positives of GDPR?
• If we embraced rather than complied with GDPR, what would be the outcome?
This paper is a summary of the responses we received and highlights the positive aspects
and outcomes of GDPR, which have been obscured by the more headline-grabbing aspects of
the edict. We believe that should companies embrace and then leverage GDPR, it could truly
change business and help create genuine competitive advantage.
www.normanbroadbent.com

3.
www.normanbroadbent.com
Will GDPR Further
Drive Improvements in
Cybersecurity and Data Protection?
“90 percent of companies worldwide recognise they are insufficiently
prepared to protect themselves against [cyber-attacks].”
The Global Risks Report
World Economic Forum (WEF)
Judgingbythenumberofrecenthigh-profileonlineattacks,cybersecurityanddataprotection
has been regarded as “something which happens to other organisations”, meaning many
businesses are not as protected as they should be. With the advent of GDPR there is yet
another reason cyber security and data protection must be taken seriously. As a result,
businesses are now creating enterprise-wide data governance strategies. For some clients,
GDPR plus the recent publicity around cyber-attacks has brought the issue to a broader
audience beyond IT professionals. This hasn’t just galvanised the C-Suite, General Counsel,
Risk and the Head of Privacy but also other stakeholders such as Non-Executives, investors,
customers and external opinion-formers in the media.
GDPR is therefore acting as a catalyst, allowing data issues to move beyond the traditional IT
functions and into the wider business. GDPR strategies are being created and sponsored by
senior executives who are not necessarily technologists by background.
For the first time many businesses are discovering where their data actually resides, where
it is used, and the true value of it to the business. Fundamentally, GDPR/data governance
is being seen not only as a technology issue, but rather something which runs through a
business - in essence, how a firm can operate and exist.

4.
The world is changing. Large scale digitalisation is becoming a fact of life and sectors and
businesses that were once regarded as technology-driven are now distrusted. The interaction
between humans and the new digital landscape will be one of our generation’s biggest
challenges. The data which we produce is becoming instrumental in how we interact with
businesses and government organisations, and has become a new currency - with consumers
and criminals realising its worth.
Up until now, each European member state’s information regulator interpreted the existing
European Data Protection Directive (EDPD) slightly differently, with certain bodies having
more stringent regulations than others. This has obviously led to problems.
GDPR however applies directly to all EU members without being interpreted and enacted in
different national laws. It will be used to prosecute across the whole EU but the European
Commission can also pursue companies and individuals outside the EU where the personal
information of EU citizens is involved. This therefore includes the world’s four biggest
technology / data companies Google, Apple, Facebook and Amazon, who each reside in the
US.
Indeed, we have already started seeing huge fines imposed on these firms for contravening
similar recent EU law that has scope and authority outside the EU if its citizens are affected.
GDPR therefore creates a level playing field for all companies across member states, allowing
smaller companies to grow and reducing the risk of monopolisation by the larger ones.
Can GDPR Create
Competitive Advantage and
Establish a Level Playing Field?
www.normanbroadbent.com

5.
www.normanbroadbent.com
With the ‘Age of the Internet of Things’ (IoT) upon us, forecasts suggest that by 2020 there
will be 20 billion connected devices worldwide. By 2018 the IoT will create 500 exabytes
of data globally each year. As a comparison, the global monthly internet traffic passed 1
exabyte for the first time in 2004 and has been growing exponentially since. The IoT will bring
up personal data privacy issues around autonomous data capture, and the potential lack of
citizens’ control of who owns their data and how that information is being used, creating a
risk of misuse.
Such global advance requires global data agreement. However, despite there being similar
frameworks to the European Data Protection Directive and GDPR in other countries, such
as Australia, in general there is a distinct lack of international standards for data capturing,
processing, propagation, retention and deletion across the world.
Because GDPR will drive higher standards in Europe, this could give the EU and the UK a
competitive advantage with the UK/EU having guiding principles for the data world. As with
financial services, these cross-state rules could also lead to cross-border collaboration, which
could be the start of public sector bodies in EU member states following the lead of their
private sector siblings and working together to manage the personal data of their citizens.
GDPR = Advantage EU?

6.
www.normanbroadbent.com
GDPR is a potential catalyst to create an ‘ethical ecosystem’. By fully embracing or going
above and beyond regulatory requirements, companies will strive to be seen as the most
ethical data user to attract and retain customers and employees.
On the flip-side, there are numerous examples of a firm’s reputation plummeting following
a data breach or misuse of personal information. Carphone Warehouse was subject to three
data breaches in 2015. The first and last related to TalkTalk and has become a prevalent
example, with monthly surveys recording a -57% score on their customer reputation standing.
There will be a point when consumers lose patience and actively look for a data-friendly
business in the same way that we have seen an evolution of a ‘green retail’ trend. Think
aerodynamicM&Slorries,Tescosendingout-of-dateproducetofoodbanksratherthanrefuse
sacks, Waitrose stores powered by renewable energy and all Co-op own brand receiving
Fair Trade certification. With shareholder value, customer volume and firms’ perception to
employees at risk, the stakes are very high!
Will companies
leverage GDPR to enhance
their reputation and brand?

7.
www.normanbroadbent.com
While there having been notable examples of major firms misusing or insecurely storing
personal data (customers and employees), GDPR non-compliance risk is something
companies need to be acutely aware of. Mismanagement or lack of awareness of this new
category of regulatory risk can have a significant impact on the value of a business. The
protracted acquisition of Yahoo by Verizon is one of the most prominent examples. When
the two companies first started discussions, Yahoo was valued at $4.8 billion. Following the
disclosure that c.1 billion personal records had been ‘lost’, Yahoo were forced to drop the
sale price by $350 million.
Besides the dollar cost, there is also the potential for reputational risk - the outcome of
which is customer loss. In a OnePoll survey of 2,000 respondents, 86% of those polled stated
they were “not at all likely” or “not very likely” to do business with an organisation that had
suffered a data breach involving credit or debit card details. Following Target Corporation’s
data breach, Y-o-Y sales fell by 46% in Q4 2013.
Another vital aspect to consider in relation to GDPR non-compliance is the impact it may
have on employees. Those firms reliant on highly skilled and in-demand employees were
particularly worried about any potential data breach and the resultant GDPR-related fines.
One CEO surveyed by our firm explained that a leak of sensitive HR/personal data would
significantly impact their ability to hire and retain new talent. Another explained that with
the potential fines from the regulators being so high, it could wipe out profit margins and
potential bonus pools.
Can the advent of
GDPR protect company value
and aid employee attraction?

8.
“Two-thirds (67%) of customers actually say they would share more personal
information if organisations were more open about how they intend to use it.”
The Chartered Institute of Marketing
WithGDPRenforceablefrom25May2018,itisevidentthatbusinessesdrivenbypersonaldata
will be disrupted and their models forced to transform. Many forward-looking organisations
are looking not at the downside, but instead proactively embracing these changes and
exploring what benefits are to be had.
The very public (and expensive) data breaches seen in recent years - plus GDPR - have put
cybersecurity and data governance firmly on the Board agenda. This is a marked change in
attitude towards cybersecurity which should be welcomed.
In addition, companies are now more aware – as are citizens – about the importance of
individual privacy. The technology of the future is only just coming into view, as are its
implications.Therefore,havinguniformedguidingprinciplesallowsindustrytocreateaprivacy
framework for modern technology to work within. Whether we like it or not, individuals and
organisations are recognising how much their data is worth. Some firms will leverage GDPR
to revolutionise their customer relationships. On the flip side, some customers may choose
only to engage with those companies that will look after their data in a proper manner.
In summary, all businesses must prepare for the GDPR era. Others may go one step further,
and seek to leverage it, thus creating sustainable competitive advantage in acquiring talent,
customers and commercial opportunities. To achieve this kind of competitive advantage they
must identify and acquire the right talent. As a provider of Talent Acquisition & Advisory
Services,NormanBroadbentGroupisuniquelyplacedtohelpclients.Withafocusonproviding
client solutions, we are able to deploy a range of services from Board and Executive Search
through to Interim Management, Research & Insight, Leadership Consulting & Assessment,
and executive-level Recruitment Solutions. If you would like a confidential discussion about
how we may be able to help you maximise your competitive advantage please contact
the authors of this report – Minesh Ghelani and James Wyman – for an initial confidential
discussion.
Conclusion
www.normanbroadbent.com

9.
About NB:Solutions
NB:Solutions
As part of the Norman Broadbent Group, we offer a complementary service to our
colleagues in Executive Search. With a focus on excellence, NB:Solutions enables our clients
to identify, attract and hire sought after talent and the leaders of tomorrow.
We offer a portfolio of services including single assignments through to project recruitment,
rapid team or business builds and Executive-RPO. Our innovative approach to pricing and
commercial shared-risk model is one of NB:Solution’s key differentiators giving clients total
transparency and control over costs.
The Norman Broadbent Group
With almost a 40-year track record of success across a wide range of industry sectors and
functions, the Norman Broadbent Group has worked hard to retain the strong culture, values
and principles which underpin our success, and ensure clients work with us time and again.
As an established and trusted corporate advisor, our clients - be they long-standing
corporations or high growth innovators - call on our expertise in Board & Executive Search,
Senior Executive Interim Management, Solutions, Insight and Leadership Consulting to help
them anticipate and resolve their human capital challenges in innovative, cost effective and
time efficient ways.
With a focus on delivery, excellence, innovation and expertise we eschew the ‘one size fits all’
traditional approach often employed in our industry. Instead we always seek to understand
our clients’ needs and challenges first before crafting and successfully delivering the optimum
solution.
www.normanbroadbent.com

10.
About The Authors
Minesh is the Managing Director of NB:Solutions, a business which
delivers an agile and high quality executive-level recruitment offering.
With a focus on diligent and time efficient delivery, NB:Solutions
operates at the ‘mezzanine-level’, a market segment not typically served
by traditional Executive Search firms. As professional and discreet as
all businesses within the Norman Broadbent Group, NB:Solutions are
experts in delivering professional and specialist ‘hard to find talent’
quickly. Read more
Jamesisresponsibleforclientanddeliveryworkacrossavarietyofsectors
including technology & professional services. He also has a particular
interest in data analytics, robotics, cyber security and enterprise digital
transformation. During his career, James’s work has resulted in senior
level appointments at tier one partnerships as well as private and listed
companies. Read more
Minesh Ghelani
Direct: +44 (0) 20 7355 6928
Switch: +44 (0) 20 7484 0000
minesh.ghelani@normanbroadbentsolutions.com
James Wyman
James works with clients at points where, data, cyber security and privacy
meet. He has a particular interest in how data is being used as a disruptive
force.
With over 10 years search experience operating at mid to senior level,
Minesh is able to draw on a combination of deep sector expertise and an
understanding of functional disciplines ranging from HR to Technology,
Private Equity and Life Sciences.
www.normanbroadbent.com
Direct: +44 (0) 20 7355 6927
Switch: +44 (0) 20 7484 0000
james.wyman@normanbroadbentsolutions.com

11.
Norman Broadbent
12 St James’s Square | London | SW1Y 4LB | Tel: +44 (0) 20 7484 0000
@NormanBroadbent
www.normanbroadbent.com
info@normanbroadbent.com
www.linkedin.com/company/norman-broadbent