Recommended Agency

text controls: text only | A A A

Sorry, our twitter status is currently unavailable, posted about 1 hour ago

RSS feed icon What is RSS?


GDPR What does this mean for businesses?

If you’ve read our other posts on the GDPR - Introduction to GDPR and What it means for Individuals - you’re probably well informed about the basics. If you haven’t, here’s a brief overview to start you off.

The General Data Protection Regulation (GDPR) is the replacement for the Data Protection ACT (DPA). It comes into effect on the 25th May 2018 and is regulated by the Information Commissioner's Office (ICO) in the UK. Although the GDPR does share a lot of similarities with the DPA, there are some significant changes that will need thought and preparation in order to adhere to and avoid complaint or fines.

At first glance GDPR may seem like a regulation that will affect only web companies, but really it’s a change for all businesses that hold people’s personal details -  from commerce to banking; from recruiters to universities and hospitals. 

GDPR will mean big changes to how you gather, hold and share contact information but this transition doesn’t need to be painful, there are some steps you can start taking right now that will help the process run smoothly. 

Following the guidelines from the Information Commissioner's Office (ICO) we’ve outlined a twelve step checklist.

Step 1: Awareness

Decision makers and key people in your organisation should be aware that the data protection laws are changing. You could also hold a knowledge share to get the whole staff on board - everyone needs to appreciate the impact this is likely to have and help to identify areas that could cause compliance problems under the GDPR. If you have a risk register, this would be a great place to start.

Many organisations, especially those with larger or more complicated structures may have to take on extra staff in order to adhere to and maintain the GDPR.

Step 2. Information you hold
Do you know what personal data your organisation holds? Do you know where it’s held and who is responsible for sourcing and updating it? Every business will need to know this information to comply with the GDPR’s accountability principle. 

A great starting point is to conduct an information audit across the organisation. The GDPR will require you to keep records of how you process personal data; if you’ve passed incorrect data on you’ll need to make sure whoever’s using it now has the correct information. Getting a handle on what personal data you hold, where it came from and who you share it with now will mean proper data protection principles will be second nature by the time the GDPR comes into force. 

Step 3: Communicating privacy information

If you have a privacy notice, now would be a great time to update it. If you don’t have a privacy notice, you need to find out how your organisation is communicating who you are and what you’re going to do with the personal data you’re collecting. There are many online tools that can help you to write your Privacy Notice.

Under the GDPR you will need to give people more information when you collect personal data, such as your lawful basis for processing the data, how long you intend to hold onto it and that they can complain to the ICO if they think there’s an issue with how you’re handling their data. You need to explain this in concise, easy to understand language and it can’t be buried somewhere at the bottom of the page. The ICO’s Privacy notices code of practice has been updated to comply with the requirements of the GDPR. 

Step 4: Individuals’ rights 

As covered in our post on the individual’s rights under the GDPR, Individuals rights will include

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling

For the most part, these are similar to the individual’s rights under the Data Protection Act (DPA) but there have been some significant upgrades. If your organisation already accommodates the DPA rights, the transition to the GDPR should be fairly seamless. This is a great opportunity to check that you meet the eight rights above and upgrade your processes if you’re not quite there yet.

One process to check is what you would do if someone contacted you and said they wanted their personal data deleted from your system. Who has the authority to delete that data? Would your system allow it to be located easily? Did you pass the data on to anyone else? If the data needed to be moved to another company, is it in a standard, machine-readable format?

If you have data from years ago collecting dust in ad hoc spreadsheets now would be the time to discuss with your organisation if it’s time to streamline your database. 

Step 5: Subject access requests
People may ask to access their personal data and they have every right to but there are some guidelines on how this will work under the new regulation.

Currently organisations have 40 days to comply with a data request - this will be one month under the GDPR and, in most cases, you will not be able to charge for this. You can refuse requests that are unfounded or excessive but you must explain why. The individual then has a right to complain to the supervisory authority.

If your organisation gets a lot of requests for access, think about if you would be able to meet these within the new timeframe. if not - what systems could you put in place to either speed things up or let individuals easily and securely access their own data online?

Step 6: Lawful basis for processing personal data
You need to know why your organisation collects personal information and what your legal basis for processing it is. 

This may not have been something you’ve thought about before but you’ll need to know - if you don’t have a strong reasoning, an individual has every right to ask you to delete their personal data (see Step 4) and you must respect their wishes. 

If your CRM, website or company address book is full of contact details that you’re not using, discuss auditing the information now to save your organisation time after the GDPR.

Step 7: Consent

You may currently ask for consent when you acquire personal data but how is this information managed? Could you find a record of the consent if asked? 

Check if your consent process meets the GDPR standard and refresh it if it doesn’t.

Consent must be freely given, specific, informed and unambiguous. Opt-in must be positive and consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must be kept separate from other terms and conditions, and withdrawing consent should be simple.

Step 8: Children
Most organisations will have a very clear idea of whether or not they hold the personal data of children on file so will know whether or not this will affect them. 

However, under the GDPR, you will need to the consent of a parent or guardian to process the data of anyone under the age of 16 (this may be lowered to a minimum of 13 in the UK) so it would be worth finding out how you verify the age of anyone you collect personal data from. If you do collect children’s personal data, you could make sure that your privacy notice is written in language that can be understood by someone under 16. 

Step 9: Data breaches
The ICO takes data breaches very seriously and some organisations are already required to notify them when they suffer a personal data breach. Under the GDPR all organisations will be 
likely to result in a risk to the rights and freedoms of individuals.

If the breach could result in an individual facing discrimination, damage to reputation or financial loss (for example) you will have 72 hours to notify the ICO and you may need to identify the individuals at risk too. Failure to report a breach could lead to a hefty fine as well as a fine for the breach itself. 

For a lot of organisations this is the most concerning aspect of the changes the GDPR will bring with it - whether your company is large or small, it would be a good idea to discuss what you would do in the case of a data breach and think about putting procedures in place for everyone to follow if they suspect one.

Step 10: Data Protection by Design and Data Protection Impact Assessments
Privacy by Design has always been a good idea but under the GDPR it will be a legal requirement. This means that privacy and data protection compliance are considered from the start of a project through to the end. Privacy Impact Assessments (PIAs) are a good way to determine whether you’re working in a way that promotes Privacy by Design. Under the GDPR PIAs will become ‘Data Protection Impact Assessments’ (DPIAs) and will be mandatory under certain circumstances.

A DPIA is required when data processing is likely to put individuals personal data at risk e.g. where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is processing on a large scale of special categories of data. If a DPIA shows that the data processing is high risk, and you can’t address those risks, you will have to consult the ICO to seek its opinion on whether the processing operation complies with the GDPR.

The Article 29 Working Party has details on how PIAs can link to other processes such as risk management and project management.

Step 11: Data Protection Officers
Organisations such as public authorities, large businesses or companies that carry out the regular and systematic monitoring of individuals on a large scale should appoint a Data Protection Officer (DPO). 

The DPO will be responsible for data protection compliance and will be an authority on both what the ICO requires for your organisation to meet the GDPR and the data processing procedures within your organisation. This is an important role and appointment should not be taken lightly. The DPO will need to be fully supported by the team to be able to work effectively.

Step 12: International
If all your offices are in the UK and you only conduct business here then you only need to adhere to the information provided by the ICO.

If you conduct business in more than one EU member state, you need to figure out who your lead data protection supervisory authority is. Whichever EU State your main office is in (or wherever your main processing decisions are made) they will be the authority in charge of GDPR for the region.


It could be argued that it doesn’t make sense for UK companies to overhaul their systems to meet EU legislation when the UK plans to leave the EU in the next two years. However, GDPR will come into effect in May 2018, long before Brexit officially happens so UK companies will not be exempt from GDPR legislation.

In October of 2016, Karen Bradley, secretary of state for Culture, Media and Sport was quoted as saying "We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."

Click here to see our Intro to the GDPR

Click here to find out what the GDPR means for Individuals

If you would like to talk about changes you can make to your company website in relation to GDPR, call us on 0117 9498008 or email

For more details on the GDPR, see the ICO website

Frances Smolinski

Created on Wednesday May 16 2018 04:03 PM

Tags: gdpr

Comments [0]


Add a comment

search blog.


contact info.

Telephone icon

Bristol: 0117 949 8008

Email icon

Get in touch via email