With so much information out there, it’s hard to decipher the key messages and ensure you’re fully under the skin of GDPR compliance. So what does GDPR even mean? GDPR stands for General Data Protection Regulation and it came into effect from 25th May 2018. The legislation introduced new rights for individuals and requires far greater data protection obligations from organisations.

GDPR in the UK

GDPR is EU regulation and will apply in the UK for as long as we remain a member of the EU. With Brexit looming, how does that impact the UK? The Government has already published a Data Protection bill to reflect what GDPR will look like post-Brexit.

Searching for a GDPR summary?

GDPR introduces a new set of rights. It’s important to prepare for each of these to ensure you’re GDPR compliant. You might hear these described as the eight principles of Data Protection and GDPR. In summary, these include:

  • the requirement to give express consent in certain circumstances
  • the right to withdraw consent
  • the right to be informed - all organisations must be transparent in how they are using personal data 
  • the right to data portability - this allows individuals to retain and reuse their personal data for their own purpose
  • the right to object - in some circumstances, individuals are entitled to object to their personal data being used
  • rights in relation to automated decision making and profiling - safeguards to protect against the risk that a potentially damaging decision is made without human intervention
  • the right to rectification of incorrect or incomplete data – giving individuals the right to rectify personal data
  • the right to erasure - often referred to the right to be forgotten

Maintaining GDPR in 2019

Understanding how to inspect whether your company is GDPR compliant is critical. Each and every organisation is different, with unique data processes. A two-pronged approach is typically recommended. Firstly, a GDPR project group should be created to identify where change needs to take place. The ICO published a 12-step plan to support organisations, see below. Secondly, with the GDPR fines set to top €20 million or 4% of annual turnover, it’s always recommended that organisations seek expert legal advice.

12 steps to help you prepare and be GDPR compliant

It’s likely that you would have set up a GDPR project but ICO has a 12-point GDPR action plan to help confirm you are in the right direction. As already covered, obtaining legal advice is also always recommended to ensure your organisation is fully compliant.



1. Awareness – make sure key decision makers are aware of the law and consider where workforce training may be required



2. Information you hold – conduct a thorough audit and document all the personal data you hold.



3. Communicating privacy information – ensure you have reviewed your current privacy plans and update where required



4. Individuals’ right – check all your processes and procedures to ensure they are GDPR compliant



5. Subject access requests – identify how to update processes so you can handle requests within the new timescales



6. Lawful basis for processing personal data – identify the lawful basis for processing data (and ensure your privacy notice is updated to reflect this)



7. Consent - conduct an audit to identify how you seek, record and manage data. You may need to refresh consents to meet GDPR standards.



8. Children – check whether you have put processes in place to verify ages and/or secure consent from a parent or guardian



9. Data breaches – ensure robust procedures are in place to detect, report and investigate a personal data breach



10. Data protection by design and data protection impact assessments - familiarise with the ICO’s code of practice on Privacy Impact Assessments. The latest  guidance from the Article 29 Working Party is also a must read



11. Data Protection Officers – identify and/or appoint someone to take responsibility for data protection compliance



12. International - if your organisation operates in more than one EU member state you need to determine your lead data protection supervisory authority.



Follow the 12 point GDPR action plan and you’re on your way to GDPR compliance. It acts as a great training and guidance tool for any projects groups and acts as a great GDPR checklist too.