8 Important Steps To GDPR Happiness

GDPR Compliance A Step By Step Guide

In the last two articles, I’ve written on GDPR  have been about GDPR what it is and what it might mean for you and your clients (Overview and Basics and GDPR Nuts and Bolts). In this article, I want to focus on how you can go about implementing GDPR in your business from a self-employed individual to medium-sized business.

There is no silver bullet for GDPR compliance. It involves looking at your business today and in the future and putting data protection at its core. We’ve all said we take the security of your data seriously – now we need to stand by those words and show it. This article is about showing it. GDPR talks about the technical and organisational methods a business uses to protect data. Technically there is a myriad of encryption and security products that will bolt down your data, but this is just one layer the other layers are the business processes that wrap around data protection in your business. Both are equally important.

If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance by 25th May 2018 – GDPR Compliance Pack 

Step 1 | Get Myself Registered with the ICO

Nice and easy this step. Get yourself over to the ICO website and register, if you haven’t already. More than likely you’ll need to pay £35 for the privilege. There is a tool you can use to check if you need to register. For most people, it will be a yes, link below.

Register With The ICO

Step 2 | Get Yourself Up To Speed

As a business, small or large, you need to ensure that you as the business owner and your employees understand GDPR. Now it’s unreasonable to expect individuals to be able to quote GDPR verbatim but it is reasonable that the business owner and employees have a grasp of what the regulation is, what it covers and why it’s essential. It should start in the boardroom and filter out from there. Larger businesses may want to set up a formal communication plan for this purpose. You may even need to prepare some level of training material or refer people to the ICO Guide To GDPR.

Firstly get yourself up to speed on GDPR, understand the principles and rights of individuals. The last two articles I’ve written should help in this space – (Overview and Basics and GDPR Nuts and Bolts).

Next look at your business and identify what people need to know about GDPR. Very often people in different roles in your business will come at GDPR from a slightly different angle, and communication to them will require tailoring for this purpose. If you are a small business, it may be as simple as a workshop to get the team up to speed. Whatever the vehicle you choose make sure everyone understands it, especially those that have contact points with data and with customers. You may find that as you need to prepare regular updates to the business to keep attention on GDPR and how compliance is progressing.

Aim | Understand GDPR and ensure all areas of my business understand it.

Step 3 | Turn Out Your Pockets – Find and Purge Your Data

Ok now, this one is a biggy for most businesses. You need to look for the pockets of data in your business – don’t leave a stone unturned! Most companies, large corporations are the worst for this, have data all over the place – yes we have HR, CRM databases and cloud storage. You need to route out the ‘homespun’ Excel spreadsheet and Access database that was created by the finance whizz who left the organisation ten years ago! Even the stray backup of a hard disk that was taken and left to collect dust in a cupboard.

You need to examine the data and understand where it is, why you have it, what the legal basis is for holding it, how secure is it, who do you share it with and what purpose it serves and do you need it?

You need to bring this together in a document (a spreadsheet is best), recording:

  • where the data is
  • what is the data and how much (fields, volume, users)
  • the accuracy of the data
  • when was the data collected
  • what type of data is it – personal, sensitive, children’s data
  • what business process does it support (email marketing, recruitment, customer data)
  • why are you holding the data?
  • how long will the data be held (retention period)
  • how will it be destroyed
  • any 3rd parties involved in the processing of the data
  • any data outside of EU

This step is all about understanding the data you hold, where you have gaps in your understanding of the data and deleting absolutely anything you don’t need to keep because you can’t evidence a legal basis for holding the data – consent, contract, legal obligation etc. The less information you have, the more comfortable your GDPR life will be.

It’s advisable to keep this document up to date as well. GDPR does include a requirement to keep records so it will serve that purpose. For small businesses or the self-employed, this may be a quick process – don’t skip it. Look at what you hold and document it. Keep it up to date.

You will find that by doing this step, it will show you where you have gaps in GDPR compliance. More than likely you’ll see data that you have no consent for – think of mailing lists that you’ve built over time or old accounts data that is no longer legally required, but you’ve kept historical backups of it. Use this step to route them all out and decide on what needs to be done to get them compliant – it may mean deleting them, it may mean reaching out and asking for consent, it may mean checking the legal standing. Keep referring back to the six principles of GDPR for lawful processing of data. 6 Principles For Lawful Processing Of Data

Aim | Find, Document and Maintain My Business Data

Step 4 | Talking To My Customers, The World Of Privacy Notices

Whether you are a small or large organisation, you are going to need a data protection policy to control how your organisation processes personal and sensitive data. This will need to be communicated to your customers via a privacy notice or possibly contract. The language of these documents should be clear and unambiguous.

If you have these documents already then, these will need reviewing for compliance with GDPR.

In the old world, your privacy notice had to state just who you were and how you intended to use the data. Often said in broad terms. Under GDPR you need to get specific. You need to explain your lawful reason for processing, how long you’ll keep the data for, the rights the customer has in relation to the data. It should include the following sections as a basic:

  • introduction – personal data is processed in line with GDPR, and this privacy notice states why we collect and process personal data and the rights the data subjects have relating to the collecting and processing of personal data
  • name and address of controller and DPO (if required for the organisation)
  • name and address of ICO as Supervisory Authority
  • a section on cookies – used on all websites these days
  • reasons and purpose for processing information
  • rights of the data subject – data subjects have eight rights
  • the legal basis for processing
  • security of processing
  • personal data retention periods
  • details of transfers to third country and safeguards
  • 3rd parties who process data on your behalf [listed] and links to the privacy notices for those parties

The ICO site has detailed information about privacy notices, it’s covered under the ‘Right To Be Informed’ and explains what clients have a right to know about in relation to the data you hold on them and what needs to covered in a privacy notice/policy: Privacy Notices & A Checklist

Aim | Update or Create Privacy Notices To Communicate With Customers

Step 5 | Let Me See My Data – Access Requests

Under GDPR data subjects can request to see the data you hold on them, requests need to be dealt with in 30 days. You can’t charge for these requests. You must provide the information in electronic format if requested.

Consider how you might meet this requirement. From identifying in your organisation when such a request has been made, acknowledging it, verifying the identity of the data subject, understanding the scope of information needed to complete the request, processing the request, reviewing the data for completeness and removing any reference to other data subjects (redaction). Finally, GDPR requires that the information is sent securely.

Depending on the size of your organisation this may be a simple process to implement or require a level of process change. Being able to identify when such a request is made is the first step. It may not arrive in flashing lights so a level of education will be required.

Aim | Implement A DSAR (Data Subject Access Request) process

Step 6 | My Business and GDPR In The Future

One of the essential elements of GDPR is that businesses consider data protection going forward in their organisation. To ensure that data protection doesn’t just become a ‘bolt-on’ to your business but is at its heart in all you do. One phrase used for this is ‘data protection by design and default’.

In a nutshell, data protection should be considered in all future projects and endeavours. It should take the form of an impact assessment. GDPR calls this snappily – Data Protection Impact Assessment (DPIA). GPPR mandates the use of one under certain conditions – where there is likely to be a ‘high risk to the rights and freedoms of Natural Persons’ Article 35 of the regulation details these – 6 conditions are stated. ICO DPIA Link

It doesn’t have to be a painful process; it comes back to a mindset and step 2 of the plan – ensuring you and your team/employees have an awareness and understanding of GDPR.

If you have a formal project initiation process in your business for managing change, a DPIA would be ideal to consider as part of the start-up phase of a project.

If you are a smaller business, then it may be as simple as ensuring when you implement something new in your business you consider how it might impact data protection. An example might be a new supplier processing data on your behalf. You would want to check that the supplier is GDPR compliant and re-assure yourself the data is secure, update privacy notices and contracts.

Aim | Impact Assess For Data Protection Going Forward

Step 7 | Help My Data Has Escaped?

Under GDPR it is mandatory to report any data breaches to the ICO (Supervisory Authority in the UK) within 72 hours. You need to have processes in place to identify, report and investigate a data breach. GDPR defines a breach as :

‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;’

If a breach is likely to result in a high risk to data subjects rights and freedoms, then you must notify the ICO but also communicate the data breach to the data subjects in a reasonable time frame.

However, if a data breach resulted in the loss of an encrypted disk and the encryption key remains secure, then this doesn’t need to be reported. The data would be unintelligible. In most cases, data breaches do need to be reported.

All data breaches whether reported to ICO or not should be recorded.

If you do have a data breach, then you’d need to record the details, consequences and actions taken as part of the notification to the ICO. More from the ICO on data breaches.

Aim | Know your responsibilities, what should be reported, to whom and when for a data breach

Step 8 | Do We Need a Data Protection Officer (DPO)?

Not necessarily, for most small business there is no need for a designated DPO. However, someone in your business needs to take responsibility for data protection compliance.

You do need a DPO if you are:

  • a public authority (except for courts acting in their judicial
  • an organisation that carries out the regular and systematic
    monitoring of individuals on a large scale; or
  • an organisation that carries out the large-scale processing of special
    categories of data, such as health records, or information about
    criminal convictions.

Aim | Decide whether a DPO is needed or not


So that’s it 8 steps to GDPR happiness. The step that will take the most time and cost is understanding where your data is – Step 3. This step will lead to series of further actions off the back of it that you need to be prepared for and closed down. Don’t put GDPR on the back burner take some steps today for GDPR happiness it needn’t be a mountain to climb just follow these steps.


If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance by 25th May 2018 – GDPR Compliance Pack 

If you are unsure about GDPR and what it might mean for your business, feel free to contact me for a free 15-minute chat. Contact Me

Buzz Web Design and Consultancy


Posted in

Shop For Products

Subscribe For Latest Updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Free E-Book 5 Things To Fix On Your Website In The Next Week To Increase Leads

Stop wasting time on the Internet!

Like most business owners, you are probably distracted and overwhelmed by the possibilities of doing business online.

It is also true that most of us fail dismally in our online ventures. So here are five things you can do in the next week to get the needle moving in the right direction.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

More From The Buzz Blog

Hey, I Want To See My Data

Hey, I Want To See My Data

It's arrived UK GDPR is now enforceable and while we may all be tempted to sit back and relax feeling...

What are the tell-tale signs of having a website nightmare?

Commons signs you're having a nightmare with your website. You're just getting enough clients When you ask people how they...

Branding, Website and Marketing For Rock Paraplanning

Hot off the press Buzz Web Design and Consultancy have just completed delivering a branding, website design and marketing service...


Buzz Web Design and Consultancy

Subscribe for Latest updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Leave a Comment