Tim Stevens
Wednesday, February 7, 2018

GDPR Essentials

GDPR Essentials

The GDPR comes into effect on 25th May 2018.

It affects all businesses that hold personal data from a B2B or B2C perspective within the EU.

Please see below a checklist of things to implement and consider:

GDPR Awareness

Valuable GDPR information can be found on the ICO website(www.ico.com), but you should also speak with experts in this field and then ensure your staff are briefed accordingly. It is important that everyone in your team is aware of the new legislation changes and how it affects them and their processes.


Document what personal data you hold, the method of collection, how long it is kept for, how you keep it up to date and who it is shared with.


One of the main reasons GDPR was created was to encourage more companies to be transparent to their data subjects. Provide as much information to the data subjects as possible. Perhaps mention what information you hold on them and what it will be used for.

Update your Privacy Notice

Your privacy notice needs to be updated in line with the new legislation. It also needs to be accessible to your customers on your website.

Designate a Data Protection Officer

You may need to appoint a Data Protection Officer, who takes on the responsibility of data protection compliance in your business – there are some instances when this is mandatory and others where it is optional.

Data Subjects’ Rights and Requests

Individuals have the right to find out the details you hold for them, when and how it was collected and who it was shared with. You therefore need to ensure that each record is flagged with these different aspects.

Individuals can also request their data to be suppressed or physically removed, your systems need to be capable of both requests.

Data Breaches

Procedures to detect, report and investigate data breaches must be in place. You must report applicable data breaches to ICO within 72 hours of becoming aware of the breach.

Risk Assessment

You will need to conduct regular risk assessments of your data protection practices in privacy Impact Assessments.


The personal data you are holding needs to be protected, so suitable anti-virus software and firewalls need to be installed on all devices. If you hold hard copies of personal data, then this also needs to be locked up appropriately.

Data Transfers / Third Parties

Identify any third parties that receive/hold/can access personal data that is yours (this could be via CRM share etc) and ensure they adhere to the same GDPR standards and processes. You will need to determine where this data is processed. It may be beneficial to run a risk assessment on each third party that has access to personal information of the company.

US Privacy Shield

If your company holds information, transfers information or processes information in the US, you must ensure you are signed up to the US Privacy Shield and such processes are compliant with the US Privacy shield.

For those choosing to partner with us, we strive to ensure our clients understand the principles and knowledge we hold on GDPR, and we hope that our latest blog post has helped to communicate this. For more information, feel free to contact us here