Share this content

GDPR: Two year countdown starts now

25th May 2016
Share this content

On 25th May 2018, the EU’s General Data Protection Regulation (GDPR) will come into play for all of its 28 member states.  

Despite the vast amount of information being publicised across member states, a recent survey found that 2 in 5 UK businesses are still unaware of the regulations.

While most businesses may see this as a distant future, a third of organisations (29%) don’t think the regulations apply to them at all.

But according to the Information Commissioner’s Office (ICO), most organisations, especially multinationals and those using large amounts of legacy data for marketing, should already be on countdown to the compliance date in two years’ time.

“The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades,” said outgoing commissioner, Christopher Graham, in April.

“Organisations simply cannot afford to fall behind. We know data protection officers understand this, and we know they sometimes find their views ignored in the boardroom. The new law gives directors 20 million reasons to start listening.”

Those 20 million reasons refer to the maximum financial penalty (€) the new regulations will slap on any business seen to breach compliance. With this in mind, last month, the ICO recently published a 12 step guide for businesses keen to get the ball rolling and ensure compliance, come 2018:


You should make sure that decision-makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

3. Communication privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

4. Individuals’ rights

You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

6. Legal basis for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

7. Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.

8. Children

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

9. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

11. Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organsation’s structure and governance arrangements.

12. International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under.      

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.