Countdown to GDPR: 25th May 2018

Susan Jennings

Partner & Head of Corporate

View bio

February 5, 2018

Categories CorporateGDPR

Whether you’re (i) bored to death of being bombarded with emails regarding the European Union’s General Data Protection Regulation (GDPR); or (ii) scared to death at the extension of powers of the Information Commissioner’s Office (ICO), who will be able to impose fines of up to €20 million or 4% of annual worldwide turnover; or (iii) oblivious to the above, the clock is ticking and businesses now need to take action.

The aim of the new laws on data protection is to ensure that personal data is protected and may only be processed (that is, obtained, recorded, held, used or disclosed) under certain circumstances.

The onus will be on the management within any business to ensure it can demonstrate compliance with the new accountability principle contained in the GDPR.

Businesses need to undertake the following steps:

  1. Audit the data held, i.e. what information do you hold, how it was obtained, who has access to it, what it is used for and how long it has been held; do you still need it?
  2. Identify on what lawful basis the data is held; for example, do you have consent?  Note that implied consent through an opt-out will not be sufficient under the GDPR.  Express consent will be required if you have no other lawful basis.
  3. Update/implement internal policies regarding data processing and ensure that all staff are trained.
  4. Review existing privacy notices, data protection policies and both supplier and customer contracts to ensure they will be GDPR compliant.
  5. Review your IT infrastructure and capability for erasing or rectifying data.  Access request fees are going and individuals will have the right to be “forgotten”.
  6. Consider how secure your system is and devise a plan for security breach, disaster recovery and data restoration.  Notification regarding breach will need to be made to the ICO within 72 hours.
  7. Consider appointing a data protection officer.
  8. Introduce regular checks and training to monitor ongoing compliance.

There is a lot to do before 25th May 2018 but if businesses undertake the above steps they should be GDPR compliant in time.

If you need some assistance with your data protection policies, privacy notices and updating supplier or customer contracts then please contact Susan Jennings at or Jamie Bourne at