News & Insights // GDPR – We’re Prepared, How About You?


The General Data Protection Regulation (GDPR) is a piece of EU legislation which will apply directly in the UK from 25 May 2018. It is an evolution of the existing data protection law relating to protecting consumers’ personal data and privacy against data loss or exposure.

All firms are likely to be affected by the GDPR, even if they only hold personal data relating to their employees. The Information Commissioner’s Office (ICO) advise that if you are complying with the current Data Protection Act, then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. That said, the GDPR does place greater obligations on how organisations handle personal data and heavier penalties for breaches.

Some parts of the GDPR will have more of an impact on some organisations than on others so it would be useful to map out which parts of the GDPR will have the greatest impact on your business and give those areas due prominence in your planning process.

The Information Commissioner’s Office (ICO) have prepared a guide which provides advice on the changes and includes checklists for getting ready for the GDPR and of 12 steps that firms should be taking now which is available by clicking here.

What should be my key considerations?
  1. Awareness - ensuring the key stakeholders and decision makers in the business are aware of the changes made under the GDPR
  2. Data mapping and identifying areas of risk - identifying and clearly documenting the flow of data across the business
  3. Accountability and Governance - clearly documenting data processing activities and any related decision making
  4. Roles & Responsibilities - appointing a DPO (if holding large amounts of personal data) or identifying who will be responsible for GDPR compliance
  5. Consent - consent needs to be given for one or more specific purposes. The consent must also be freely given, informed and unambiguous. The ICO's guidance states that "there must be some form of clear affirmative action - or in other words, a positive opt in - consent cannot be inferred from silence, pre-ticked boxes or inactivity.
  6. Privacy Policies - auditing existing policies and updating them to comply with GDPR requirements
  7. Portability - considering the extent to which the new obligations relating to data portability will relate to the business
  8. Contracts with third parties - identifying third party contracts relating to the transfer of personal data and considering whether those contracts need to be updated
  9. Subject access requests - the timescale to comply with such requests is being reduced from 40 days to one month
  10. International Transfers of Personal Data - documenting the flow of personal data from/to countries outside of the UK and identifying data transfer mechanisms and whether they are appropriate under GDPR
  11. Handling data breaches - considering what processes are in place for identifying, recording and responding to data breaches

For more information, please contact our compliance department:

Phone: 01732 753910   Email: