Steps Companies Can Take to Be GDPR Compliant

Steps Companies Can Take to Be GDPR Compliant

The GDPR stands for the General Data Protection Regulation, and if your business collects any type of customer Personal Data, it’s likely that you’re going to have to make some changes to the way your business runs. Regulation like the GDPR can be confusing to those who aren’t familiar with this area, so let us break it down for you.

Do business in Europe? You need to read this…

Chances are you have some dealings within the EU – whether they’re business customers or end-users collecting or processing Personal Data.

In order to do business with any company or person based in the European Union, you’ll have to comply with GDPR – as will your suppliers.

What is the GDPR and why am I hearing so much about it?

A good place to start is with the Data Protection Act 1998, which basically set the ground rules around the use of data in the U.K.

The problem is that in those days, companies were still storing records on paper in filing cabinets. A lot has changed since then, so, naturally, regulation has to change too.

The GDPR incorporates much of the same fundamentals as the Data Protection Act 1998 with a fresh coat of paint – but there a few additional responsibilities for companies too. GDPR is a single EU Regulation which covers the whole of Europe, on the 25th May 2018 as incorporated in the Data Protection Act 2018.

Let’s also learn about roles?

The key three roles under the GDPR are defined as follows:-

  • Data Controller means a natural person, business, public authority, agency alone or jointly determining the purpose of the personal data.
  • Data Processor means a natural person, business, public authority, agency which processes personal data on behalf of the controller.
  • Data Subject means the identified or identifiable living individual to whom personal data relates.
  • Personal Data means any information relating to an identified or identifiable natural person (‘data subject’)

It is important to position the role and responsibility because this does vary from time to time. For example, as a business, if you collect Personal Data from your customers and determine its use then your role is likely to be a controller. Equally, if you are processing Personal Data on behalf of your customer then your role is a Data Processor.

An expert’s role would as per ICO guideline be of a data controller. The correct roles must be in contracts or any data processing agreements. Further, any whitepapers by industry as to specific roles may be considered by a business.

What is the purpose for processing the Personal Data?

This was the first principle ‘fair and lawful’ processing in the Data Protection Act 1998 which is expanded in Article 5 of the GDPR. As a business you may well be tempted to just put a single basis of legitimate interest for processing as a single basis for processing Personal Data.  The GDPR has a number around 6 purposes which can be adopted by you. The ICO mentions that no single basis is ‘better’ or more important so you should consider which basis is the most appropriate to include in your data map. Along with this consider any additional other privacy legislation lawful purposes which may be required for example where special category Personal Data is going to be processed.  This type of Personal Data is sensitive in nature requires more protection. Whilst certain other purposes could also carry additional tests.

This is also linked to other areas of the GDPR where a business acting as the Data Controller is going have to demonstrate categories of processing and also depending on which purpose you use it will determine the Data Subject rights which apply along with any exceptions.

It is important to ensure the accuracy of the Personal Data

The Personal Data collected or processed will be accurate and, where necessary, kept up to date in line with data protection principle. The Data Controller will take steps to ensure that incorrect Personal Data requested is updated to its current accurate state. If there are any inaccuracies use reasonable endeavours to either erase or rectify without delay; making it complete and reliable instead of inaccurate, incomplete, or not up to date. Your business may keep records of mistakes so long as such mistakes are corrected.  The Data Subjects can exercise the right to rectify if it’s inaccurate.

What are the Data Subject’s rights?

There is a right to access from the controller, Personal Data being processed and any supporting information can be provided by your suppliers.  Where Personal Data is incorrect, right to rectification this is discussed further down. There may be times where a Data Subject withdraws consent, or the purpose does not exist for this then the Data Subject has the right of erasure.  If a Data Subject moves from one provider to the next (e.g. a dentist) they may ask for their Personal Data and request this to be transmitted to another controller with right of portability. The Data Subject may object depending on the situation to the processing of their Personal Data.

These should be detailed in the privacy policy. There may be some exceptions to these rights which could apply. Businesses and suppliers may also have to align some operation processes to ensure how they are able to deal with such requests. For any business, it is important that the operational time frames are in line with the regulation time frames.

Using other suppliers as processors for your business?

If your business is using suppliers processing Personal Data on your behalf you need to ensure that they have instruction and authority to process the Personal Data. When technical and security measures of Article 32 either at the pre-contract checks are carried out or during renewals or audit to get confirmation that they meet GDPR requirements and even include in the contract. If you’re using offshore business processing further information can be found here.

Ensure that there is contract documentation in place which clearly outlines the purpose, duration, deletion along with processing activities. There is a commitment from the supplier to assist you during investigations and data breaches.

How long can Personal Data be kept for?

The Personal Data collected by a business should be kept in line, the principle data should not be kept for any longer than necessary and for a legitimate purpose.  This can be as per the periods outlined in a retention policy. There may be other reasons for e.g. accounting it may be kept for periods in line with the Company’s Act or for any legal actions.

Any agreements with the Data Processor will provide provisions to the Data Controller to either return or destroy the Personal Data except for any retention periods.

Cookies and consent related to cookies

This area is governed under ePECR and also appears in the GDPR. If your website is using cookies, then a simple website acceptance of cookies when a visitor enters your website was the norm previously. The consent mechanism is as per the GDPR “Data Subject means any freely given” with an affirmative action where there is a processing of Personal Data and the Data Controller can demonstrate this. Detailed opt-in is required including any opt-ins into analytics cookies for a visitor to select. Whilst there are several cookie bots out there make sure the one you adopt meets the Commissioner’s guidelines.

What is the role of a Data Protection Officer (DPO)?

The Data Protection Officer will assist the business in deploying and dealing with GDPR or privacy matters as and when they arise. They will act in an independent manner representing your business either for a Data Controller or Data Processor.  If you are a public body,  a Data Controller processes large amounts of data with systematic monitoring of Personal Data of Data Subjects or, as a Data Controller or Data Processor, processing large amounts of special categories Personal Data then a DPO should be appointed.  In certain European countries, this is further extended by the number of employee’s threshold, if a business has met this then they may be required to have a DPO in line with the local legislation.

As part of the processing activities, the DPO contact details must appear if Personal Data have not been collected from the Data Subject. The contact details allow the Data Subjects but also the regulator to deal with DPO as a point of contact.

The DPO will be engaged in Personal Data breach reviews and will not have a conflict of interest. The Belgian Data Protection Authority found in their inspection report on responsibility in the event of data leaks and position data protection officer that the DPO was not independent as they were not involved in Personal Data breach reviews and with the role of audit/risk also not sufficiently free from conflict of interest.

A key question that keeps recurring from customers is on Brexit does your business have details of European DPO contact.  Most business with a global presence will have coverage. A DPO for your business is the go-to subject matter expert on data protection.

Is registration requited with the regulator?

This is usually the Data Controller who will need to register and will need to supply supporting information unless they are exempt. The registration is governed by The Data Protection (Charges and Information) Regulations 2018. There are various different charges depending on the size of your business.

But Brexit is happening – surely EU regulations don’t apply?

Even though we’re exiting the EU at the end of 2020, the GDPR will continue to apply including any amendments into U.K. law after the U.K. leaves the EU.  Prior to this, the new Data Protection Act 2018 Part 2 of this Act has a pointer right back to the GDPR and the rest introduces new areas which are not in the GDPR.

The GDPR will still supplement the UK’s Data Protection Act 2018 and is referred to in the EU’s Brexit Withdrawal Bill, so most of its principles will remain. The EU’s Justice commissioner wants to ensure that proper GDPR rules are applied between EU and UK on exit. If you have European customers and you’re continuing doing business with them it’s unlikely they will sign up for anything less than the GDPR.

What happens if I don’t comply?

If Personal Data is leaked due to a security breach and insufficient technical or security measures which are not in place, then a business could be fined for failing to comply.

The supervisory authority could fine either (i) 10 million or 2% annual global turnover (ii) 20 million or 4% annual global turnover, whichever is higher.

Find out how we helped one client with their GDPR compliance requirements.

Download Our Case Study

If you’d like to check your GDPR compliance, we’d love to hear from you. Email us at or reach me on 07375 950 463.

Get Your Free Consultation