The GDPR: Counting Down to 25 May 2018


Much has been said about the General Data Protection Regulation (GDPR) which is coming into force across the European Union, including the UK, this May. If you’ve had your head stuck in the sand until now, it’s high time to act.

The good news is that if your business is already complying with the current Data Protection Act (DPA) 1998, your approach is likely to go a long way to support compliance with the new regulation. That said, there are some important differences between the Data Protection Act and the GDPR.

To ensure that your business is ready for the new law, you should familiarise yourself with the requirements of the legislation and check through these 12 steps to help aid preparations.

1. Raising awareness

Is everyone in your company aware that the data protection legislation is changing? Ensure that all key personnel are fully briefed of the imminent change in data protection and how the changes affect working practices.

2. Understanding how the definition of personal data is changing

One of the key changes between the DPA and the GDPR is that the latter expands the definition of personal data to include ‘any information relating to an identified or identifiable natural person’. This now includes online identifiers such as IP addresses, web cookies, as well as biometric data such as fingerprints.

3. Checking individuals’ rights

Under the GDPR, individuals’ rights are enhanced to include the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing and right to object. There’s also a new right to data portability.

4. Ensuring full documentation

GDPR will require all businesses and organisations to maintain full records of data processing activities. This includes the type of personal data collected, how it was obtained, who it is shared with, and where relevant, evidence of consent.

5. Reviewing privacy notices

GDPR legislation means that your business will be required to publish privacy notices, which make it clear how individuals’ personal data is processed A privacy notice should include the lawful basis for holding data, the data retention period and the individuals’ right to complain.

6. Updating request procedures

The new GDPR means that subject access requests must now be handled within one month (although the period of compliance can be extended where requests are complex or numerous). This may require your organisation to update internal systems and processes to properly deal with such requests.

7. Verifying the lawful basis

Depending on the lawful basis of processing personal data, some individuals’ rights may be modified under the GDPR. For each data subject, the lawful basis of holding information must be identified and documented.

8. Refreshing consents

From May of this year, using consent as a basis for processing individuals’ data must meet GDPR standards on being ‘specific, granular, clear, prominent, opt-in, documented and easily withdrawn’. This may necessitate a review of your existing consent procedures for activities such as marketing.

9. Protecting children’s data

GDPR will usher in special protection for personal data belonging to children (<16 years old in the UK), which will require consent from a person holding parental responsibility.

10. Reporting data breaches

GDPR data security requirements means that your business needs effective procedures in place to detect, investigate and report (to the ICO and/or individual data subjects) any personal data breaches.

11. Adopting data protection by design and default

Under the GDPR, the approach to privacy and data protection is no longer advisory, it is a legal requirement. When conducting certain types of processing that are likely to result in a high risk to individuals’ interests and/or undertaking any major projects which require the processing of personal data, your business may need to carry out a Data Protection Impact Assessment (DPIA).

12. Appointing a Data Protection Officer (DPO)

If your organisation is a public authority, a business that routinely carries out systematic large-scale data monitoring, or processes special category data (eg. health or criminality data), you will need to designate a DPO whose job it is to take on the formal responsibility of informing and monitoring data protection within your organisation.



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, 24 September 2019
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips


Jill Holtz
2109 Points
Tena Glaser
1394 Points
Michael Lane
802 Points
Ron Immink
732 Points
Fionan Murray
721 Points
View Leaderboard