Are you prepared for the new General Data Protection Regulation?

The key steps to ensure your business is prepared.

On 25 May 2018, the new General Data Protection Regulation (GDPR) is set to take effect. Under the new rules, organisations which collect, store and process individuals' personal information will be subject to new obligations, with an increased emphasis on accountability and transparency. Here, we outline some key steps you should take to help ensure that your business is prepared.

Keep records relating to the personal information you hold

Businesses should make sure they have up-to-date records relating to the personal data that they hold. These records should include where the data came from and who it has been shared with.

Under the new GDPR, businesses must comply with the new 'accountability' principle, which outlines the need to demonstrate how they are abiding by the new data protection requirements.

Identify your lawful basis for processing personal information

Businesses must identify their lawful basis for processing activity within the GDPR, record this and update their privacy notices accordingly.

The GDPR will modify some individuals' rights, depending on a firm's lawful basis for processing personal data. If you use consent as your lawful basis for processing, clients will have a greater right to have their data deleted, if they so wish.

Your lawful basis will also have to be set out upon answering a subject access request. Businesses are advised to document their lawful basis so that they remain compliant with the accountability requirements of the GDPR.

Review your privacy notices

Businesses should review any privacy notices they have and, where necessary, make sure that these are amended in time for the implementation of the GDPR.

Under the new rules, businesses are required not only to inform individuals about their identity and how they intend to make use of the data, but also to explain their lawful basis for processing the information, as well as outlining their data retention periods. Businesses must also inform their clients that they have a right to complain to the Information Commissioner's Office (ICO) if they believe that there is an issue with the way in which their personal data is being handled.

Ensure adequate procedures are in place to prevent data breaches

Businesses are urged to make sure that adequate security systems are in place to detect, report and investigate any breaches.

The new GDPR will introduce a requirement for firms to report certain types of data breach to the ICO. The ICO must be notified if the data breach may result in a risk to individuals' rights and freedoms. Businesses will also be required to inform affected clients in cases where the breach results in a high risk to individuals' rights and freedoms.

Larger businesses may wish to create policies for handling data breaches, and communicate these to their employees.

Review how your business seeks and records consent

Businesses are advised to review how they seek, record and manage individuals' consent. Consent must be given freely, and should also be informed, unambiguous and verifiable.

The business must also provide simple ways for clients to withdraw their consent. 

Consider appointing a Data Protection Officer

Appointing a Data Protection Officer may help to ensure that your business complies with the stringent GDPR data protection rules.

Public authorities, organisations that process health records or criminal records and organisations that monitor individuals on a large scale are required to appoint a Data Protection Officer.

These are just some of the key measures you should consider to help ensure that your business is ready for the introduction of the new GDPR. Further information can be found on the ICO website.


Why not register to receive our Monthly Newswire? Once a month we'll send you an email packed full of essential business news and handy tax tips to help save you money.

Sign up today »

Quick Links

Home | Contact us | Accessibility | Disclaimer | Help | Site map |

© 2019 Blue Spire Limited. All rights reserved.

We use cookies on this website, you can find more information about cookies here.

Contact Chichester Office

Tel: +44 (0)1243 781234
Fax: +44 (0)1243 791770

Contact Brighton Office

Tel: +44 (0)1273 739533
Fax: +44 (0)1273 732844

Chichester Address
Cawley Priory, South Pallant, Chichester, West Sussex PO19 1SY

Brighton Address
5th Floor Intergen House, 65-67 Western Road, Hove, East Sussex BN3 2JQ

Blue Spire Limited is Registered to carry out audit work in the UK and Ireland and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales C004152645. Professional indemnity insurance is provided by Royal & Sun Alliance Insurance Plc 9th Floor, One Plantation Place, 30 Fenchurch Street, London, EC3M 3BD and its territorial coverage is worldwide (excluding United States/Canada).
Blue Spire Financial Planning Limited is authorised and regulated by the Financial Conduct Authority. FSA register reference 566257. This guidance and/or advice contained within this website is subject to the UK regulatory regime, and is therefore targeted at customers based in the UK