General Data Protection Regulation – What is your business doing about it?


A simple explanation of GDPR

The General Data Protection Regulation (GDPR) is replacing the outdated Data Protection Act; it covers citizens of the European Union, and extends and modernises the definitions of personal data.   The GDPR provides citizens with a greater level of control over their personal data and gives businesses some new obligations over how they handle this personal data.  It is an evolution, not a revolution, and those businesses who currently follow good data protection practices will only have small changes to make.  However, it is a good opportunity for all businesses to review their data protection practices, as public interest in data security and privacy is increasing, and GDPR will only increase that interest.

There are 12 steps recommended by the ICO for businesses to follow in preparation for the GDPR

1. Awareness

Senior management, and key personnel in your business must be aware that the law is changing.  They need to appreciate the impact this is likely to have.

2. Information you hold

You should document what personal data you hold, where it came from, and who you share it with.  You may need to carry out an information audit, or data mapping exercise.

3. Communicating privacy information

You should review your current privacy notices and plan to make any necessary changes in time for GDPR implementation.

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights that individuals have, these rights are changing under GDPR.  This needs to include how you would identify and delete personal data, or provide data electronically and in a commonly used format.  You should also have processes in place to ensure you understand when individuals do, and do not, have these rights, and how quickly you are obliged to respond.

5. Subject Access Requests

You should ensure you have procedures and plans to ensure you can handle requests within the new timescales and provide any additional information as required.

6. Lawful basis for processing personal data

For each piece of personal data that you process, you should identify the lawful basis for processing, document it, and update your privacy notice to explain it.

7. Consent

Where you rely on consent as the lawful basis for processing personal data you should review how you obtain consent, how you record and manage consent, and whether you need to make any changes to these processes.  You should also look to refresh any existing consents, if they were not obtained in a way that is compliant with the new regulation.


You should think about whether you need to put processes in place to verify individuals’ age, and to obtain parental or guardian consent for and data processing activities.

9. Data breaches

You should ensure you have procedures in place to detect, report, and investigate a data breach.

10. Data Protection by Design, and Privacy Impact Assessments

You should familiarise yourself with the ICO’s Code of Practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation.

11. Data Protection Officer

You should designate someone in your organisation to take responsibility for data protection compliance, and consider where this role will sit within your organisation’s structure.  You should consider whether you are required to formally designate a Data Protection Officer.

12. International

If you operate across more than one EU member state, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you to do this.

If you require assistance with any of these points please contact us