GDPR – take action now!

On 25th May 2018 the General Data Protection Regulation (“the GDPR”) will replace the current Directive and will become immediately applicable in all Member States of the EU. Regulated by the Information Commissioner’s Office (“the ICO”), the GDPR brings with it new legal rights for individuals, more accountability for organisations, higher standards of consent and significantly larger fines. It also strengthens the rules around personal data and gives people greater control over their own personal data.

With only 6 months to go before the GDPR becomes law, many organisations are panicking as they have yet to put plans in place to ensure that they are compliant with the regulations. The ICO has published a 12 step guide to assist organisations in their preparations for the introduction of the GDPR and it would be our recommendation that these steps are implemented: –

In summary, the 12 steps are as follows:

  1. Be aware of the changes now and do not leave your preparations until the last minute.
  2. Document what personal data you hold, where it came from and who you share it with.
  3. Review your current privacy notices.
  4. Check your procedures to ensure that they cover all of the rights that individuals have in respect of their personal data.
  5. Update your procedures and plan how you will handle subject access requests.
  6. Identify the lawful basis for your processing activity and document it. This will help you comply with the GDPR’s ‘accountability’ requirements.
  7. Review how you seek, record and manage consent. You should make the appropriate changes if your existing consents do not meet the GDPR standards.
  8. Put systems in place to ensure that special protection is given to children’s personal data. An individual’s age should be verified and parental consent must be obtained for any data processing activity.
  9. Put procedures in place to detect, report and investigate a personal data breach.
  10. Adopt a ‘privacy by design’ approach and familiarise yourself with the guidance provided by the ICO on Privacy Impact Assessments:
  11. Designate someone within your organisation to take responsibility for data protection compliance.
  12. Identify your lead data protection supervisory authority if you operate in more than one EU member state.


Depending on the nature of your organisation, some aspects of the GDPR will have more of an impact than others. It is therefore important to identify the provisions of the GDPR which will have the greatest impact on your business and to put plans in place to ensure that you comply with those regulations.

Falling foul of the GDPR can lead to huge fines – up to 4% of an organisation’s total global annual turnover or €20 million, whichever is the greater. It is therefore of utmost importance that you get it right.

If you require assistance or advice on the GDPR please contact us immediately.