News and Events

Steps to Prepare for the General Data Protection Regulation

View profile for Christopher Buck
  • Posted
  • Author

The General Data Protection Regulation (GDPR) will govern how personal data is processed by data controllers and processors from May 2018. I share with you why we all need to start preparing now…


Despite the UK deciding to leave the EU, the GDPR will govern how personal data is processed by data controllers and data processors. Although the GDPR won’t kick in until May 2018, you should consider taking some steps now to get ahead of the game.

Step one - scope the changes

Not only should you be aware of the changes the GDPR will implement from May 2018, you should make sure your employees are, too. You and your employees should also be up to speed about the effect the changes will have and their potential impact.

Step two – review your personal data

You should review what personal data you currently hold, where it’s held and how you received it. It’s also a good idea carry out an audit to determine whether any data you hold has been shared with any third parties. This will determine whether any risky processing activities are being carried out, and how these may need to be addressed.

Step three – review your privacy notices and policies

A review of your privacy notices and policies should be carried out to make sure they're presented clearly and in plain language. If any notices or policies need amending under the GDPR, this will be highlighted. You can then put plans into place to update notices and policies where necessary, to make sure you comply with the GDPR from May 2018. Notices and policies need to be easily accessible, so get this in order if needed, too.

You should be monitoring, reviewing and assessing how you process data to establish whether you meet the required standards, and if there’s a need to build in safeguards to reduce data processing and the retention of data.

Step four – review the rights of your data subjects

A data subject is the person the data is about. It’s crucial the policies you have in place cover the data subjects’ rights. Under the GDPR, these rights are:

  1. the right to be informed, for example transparency of how personal data is used
  2. the right of access to their personal data, confirmation as to how it’s being processed and other supplementary information
  3. the right to rectify their personal information if it’s incorrect. If the personal data has been disclosed to a third party, the data controller must update this within one month of being notified of the rectification, three months where it is complex
  4. the right to be forgotten and request the removal and deletion of personal data, and notify third parties of such wishes where the data has been passed on
  5. the right to restrict processing by blocking or suppressing the use of personal data
  6. the right to portability and using their own data for their benefit
  7. rights related to automated decision making and profiling, for example safeguarding data subjects from risks, which potentially would otherwise occur without intervention
  8. the right to object to:
    • 8.1 processing based on legitimate interests or the performance of a task in the public interest/exercise of an official authority, including profiling
    • 8.2 direct marketing, including profiling
    • 8.3 processing for purposes of scientific/historical research and statistics.

Step five – access your requests

You should review the way you handle access requests and make sure the timescales provided by the GDPR will be complied with.

Data subjects may also exercise other rights, such as erasure and rectification, as listed above. You should make sure you have procedures in place to deal with any and all data subject access requests, including those who may have unrealistic expectations of their rights.

Step six – processing your personal data

You should review how you process personal data and whether the GDPR will impose new obligations on you. Some organisations will be required to appoint a Data Processing Officer (“DPO”) or other supervisory authority who would be responsible for complying with the GDPR in respect of processing personal data. You should consider how this role will fit within your organisation.

You should document how and what data you’re processing and the legal basis for carrying out such processing. If you receive data processing services from a third party, you should also review any responsibilities you have and document them.

Step seven – consent

Putting procedures in place to show how you seek, obtain and record consent is really important. You may also wish to review whether you can show you have a legitimate interest in processing the data without consent, and that any such interest is not overridden by the data subject’s interests. If you do rely on receiving consent from data subjects, you’ll bear the burden of proof to show consent was both informed and provided freely.

You should also put verification procedures in place to confirm your data subject’s ages, to determine whether parental consent is required. Parental consent was previously required for children under the age of 16. Member states can now legally lower this to 13 years old.

Step eight – data breaches

You should put policies in place to make sure data breaches can be detected, reported and investigated. If there are any breaches, you’ll need to react quickly to comply with time limits, so bear this in mind when you create these policies.

Step nine – privacy by design

You need to consider privacy and develop procedures early on, so it complies with any processing or the deployment of a product. Think about how you’ll implement it in your organisation, too.

Step ten – international transfers

If your organisation operates internationally, you should think about the effect the GDPR will have. In particular, you should identify whether you need to appoint a DPO or other supervisory authority.

Where you’re transferring data to a jurisdiction, which does not have an adequately recognised data protection regulation, you’ll need to show you have a legitimate interest for transferring to any such jurisdiction. You could be liable to pay a fine of up to 20 million euros or 4% of your annual worldwide turnover for non-compliance.

If you’d like any support or advice about data protection or privacy matters, or would like to arrange an appointment to see one of our Solicitors, please contact us on 01908 660966 or feel free to email me on

Image Courtesy of