Are you GDPR compliant?

What it is and how it will affect your business

On the 25th May, 2018, the biggest change in data protection for 20 years became legally enforceable, when the EU General Data Protection Regulation (GDPR) came into effect.

The GDPR applies to any company irrespective of its size, that process or handles EU residents’ personally identifiable information (PII).

Don’t delay take action now and get yourself on the path towards compliance

Our practical, non-sales approach is popular with our clients. We work within specified budgets and while we will advise what the legislation requires – and offer our recommended solution to your legal obligation – there is no pressure from us to proceed with our suggestions.

For an informal chat about GDPR and other privacy matters, please contact our Compliance Director, Andy Chesterman -, however to understand more about your obligations, please download our copy of the 12-point plan published by the ICO.

12 steps any business must plan for

- and we can assist in the preparation

1. Awareness / Staff Training

Decision makers and appropriate staff within the organisation need to be fully aware that the law is changing and they should appreciate the impact this is likely to have. Non-key staff should be made aware of the changes, but from a top-level perspective. 20

2. Information You Hold

It should be fully documented what personal data you hold, where it came from and who you share it with. This may require a full information audit.

3. Communicating Privacy Information

A review will be required of all current privacy notices and put a plan in place for making changes to these in time for GDPR implementation.

4. Individuals’ Rights

You should check all your procedures to ensure they cover all the rights individuals have, including how you would delete personal data, or provide data in a secure, electronic and commonly used format.

5. Subject Access Requests

You should update your procedures and plan how you will handle requests within the new timescales (full written details within 30 days). It is expected that there will be an increase in SARs, so it is recommended that an efficient procedure is put into place to handle these as soon as they come in.

6. Legal Basis for Processing Personal Data

You should look at the various types of data processing you carry out – identify your legal basis for carrying it out and document it.

7. Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Under GDPR, consent must be obtained ‘freely and unambiguously’.

8. Children

You should start thinking about what systems can be put in place to verify individuals’ ages and gather parental or guardian consent for all data processing activities.

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The ICO must be notified of a breach within 72 hours of it being discovered.

10. Data Protection by Design & Data Protection Impact Assessments

This is still being finalised by the ICO and you should familiarise yourself with the guidance produced on Privacy Impact Assessments and how they should be implemented within your organisation.

11. Data Protection Officers

A designated data protection officer should be designated to take responsibility for data protection and compliance. It will also need to be assessed where this role should sit within the structure of your organisation.

12. International

If your organisation operates internationally, you should determine which supervisory authority you come under.

View our free downloadable 12 point plan