GDPR action list

Are you GDPR ready?

On 25th May 2018, the General Data Protection Regulation (GDPR) will take effect. If you have not yet taken steps to make your business GDPR-compliant, now is the time to take action.

While the Information Commissioner’s Office (ICO) has indicated that it is not intending to issue large fines immediately from 25 May, businesses must be able to demonstrate that they are taking the necessary steps to comply.

Those businesses that are ignoring the upcoming changes, or have failed to take any steps at all, will be most at risk of fines.

GDPR action list

To ensure this doesn’t happen to your business, check out the five key steps you should be taking before the deadline:

  1. Marketing: if you carry out marketing as part of your business, you should review your lawful basis for such marketing. If your lawful basis is consent, then you will need to refresh these consents to make them GDPR-compliant prior to 25 May.

    If you do not do so before 25 May, you may have missed your opportunity to do so: following this date it could in itself be unlawful to contact those individuals, and your business could be exposed to potential fines.

    If you are relying on legitimate interests as your lawful basis, be warned – this will not be appropriate for all businesses and therefore a bespoke evaluation of your databases and communications is advised.

  2. Privacy notices: even if you are not refreshing consents, you will need to provide updated privacy information to individuals whose personal data you hold.

    This is usually done through your privacy notice, which will need to be updated to comply with the specific requirements of the GDPR. You will need to communicate these updated policies to your employees, suppliers and customers.

  3. Contracts: all contracts that include any element of personal data-sharing (which will be most of your contracts) will need to be updated to comply with the specific requirements of the GDPR.

    This will include your employee, supplier and customer contracts. Again, you will need to communicate these updates to the relevant parties and ensure they are validly incorporated/accepted.

  4. Security and technology: you should review your data security (technical, physical and organisational) and establish additional measures you can take to protect the personal data held by your organisation.

  5. Testing: you may want to conduct certain drills to test how ready your business is for the GDPR.

    This could include systems penetration testing, which can be conducted in tandem with your IT/cyber security provider, and data subject access request and data breach simulations to evaluate the readiness of your business for dealing with these events.

    The results of such tests should then be discussed, reviewed and used to improve/update your policies and procedures going forward.

Remember, your GDPR compliance project does not end on 25 May. GDPR compliance is an ongoing project and businesses should be continually reviewing, evaluating and updating their approach to GDPR compliance to make data protection a key part of their business strategy.

The Federation of Small Businesses have a useful page on GDPR:

Is your website GDPR compliant?

We can audit your website for £200+VAT. Get in touch if you want to find out more.