Your guide to the GDPR challenge

You’re not alone in feeling nervous about the possible impact of GDPR (General Data Protection Regulation) on your business. There’s a growing volume of noise on the subject right now, which is mixing dense technical jargon with uncertainty and a dash of scaremongering. To help you form a better understanding of the risks to, and obligations of, your business, we’ve put together this short guide to GDPR. Be aware that the fine detail of GDPR is still being decided, and that its impact could vary depending on the size and nature of your organisation. This guide can only provide an overview and you should consider taking specialist advice.
The basics of GDPR
GDPR comes into effect on 25 May 2018. It updates and strengthens the current data protection rules. It’s largely focused on personal data, such as names, addresses and other information held about individuals. Unlike the current data protection rules, it applies to records held on paper as well as those held digitally. If your organisation holds detailed sensitive information about people, or information on children or young people, get expert advice on how the new rules apply to you. GDPR strengthens the individual’s ‘right to be forgotten’. People can ask to be deleted from your records, and expect for that deletion to be carried out. Organisations that break the new rules face the threat of massive fines, up to the higher of Euro 20 million or 4% of global sales.
GDPR and digital marketing
Many businesses are worried about the impact of GDPR on the mailing lists they’ve spent years building. They’re concerned that if they can’t prove that someone asked to be included on the list, they may be in breach of the new rules. However, you can continue to email people working for limited companies, limited partnerships and government institutions, as long as you give them a route to opt out. You will need to get permission to email private individuals, sole traders and those working in unincorporated businesses. Getting permission means being clear about what you’ll do with any information they supply, and having them make a clear choice to ‘opt-in’. The introduction of GDPR could be a good opportunity to clean up your marketing database, or indeed to consolidate multiple databases that have grown up over time. It’s a chance to get rid of duplicate or out-of-date information.
GDPR and business data
Even the smallest business accumulates a mass of data over time, and it’s often stored inconsistently and insecurely. Where that data contains information about individuals, it probably falls under the scope of GDPR. A first step to achieving GDPR compliance is to conduct an audit of all the data in your organisation. This includes everything from your HR system to a spreadsheet of contacts that a member of your sales team maintains on their laptop. Consider creating a map of how personal data flows through your business, from the point of capture (such as sign up to an emailing list) to all its potential uses, and its eventual deletion.
  • If you don’t already have them, you probably need policies around issues such as: Preserving privacy
  • Handling requests to review the information you hold
  • Dealing with ‘right to be forgotten’ requests
  • Accountability for processing of personal information.
Don’t hold more information on someone than you need to. Minimisation is a key principle of GDPR. This is probably a good to create a culture of privacy that respects the rights of customers and contacts, balancing the needs of your business with the obligations of GDPR.
GDPR and data security
Any data you hold on individuals should be secured to prevent unauthorised access, and you should consider regular audits of your security. Businesses should also prepare procedures for handling a data breach. It’s possible to predict, based on the type of data you hold, the type of information that could be lost in a data breach, allowing you to have contingency plans for notifying the relevant authority and, if appropriate, contacting those whose data may have been taken. Preparing for a data breach includes:
  • Educating staff in what constitutes a breach
  • Implementing an internal process for reporting potential breaches
  • Having a process for reporting breaches externally
  • Developing procedures for investigating and learning from breaches.
We can help you prepare for GDPR
By keeping ourselves up to date with the latest news and guidance on GDPR and related technology issues, we’re well positioned to support our clients through this major change to data protection rules. If you would like to know more about how to prepare for the new GDPR requirements, give us a call on 0345 051 0600 or email We would be pleased to have a no-obligation conversation with you. Alternatively, follow us as we share news updates and information on Twitter, Facebook or LinkedIn. It’s safe to assume that rules around data privacy and security will continue to get tighter, and the penalties for non-compliance will get tougher. Businesses that want to thrive in this new environment are already adapting how they operate, and are looking to take advantage of having better quality data available to them.