Get your data in order: 12 things to do in readiness for General Data Protection Regulation

16 Nov 2016

The UK government has announced its decision to adopt the EU General Data Protection Regulation (GDPR) regardless of Brexit. This has been widely welcomed for bringing some much needed certainty to those holding and/or processing data. 

The GDPR is due to take effect in the UK and EU member states from May 2018, and, in the UK, will replace the Data Protection Act 1998 (DPA). 

Key changes to be introduced by the GDPR are:

  • Greater control conferred on individuals over their personal data
  • Stricter rules on organisations for obtaining consent
  • Greater emphasis on keeping individuals informed
  • Demonstrating compliance
  • Privacy by design
  • Strict rules on notifying breaches
  • Increased fines for non-compliance (of up to 4% of global turnover)
  • Direct obligations and liability for data processors

The GDPR keeps the spotlight on data security and safeguarding personal data to be exported outside the UK and the EEA.

The Information Commissioner’s Office (ICO) has advocated early preparation for GDPR implementation, and has published a 12 step checklist, summarised below.


  1. Awareness

Raise awareness of the impending changes amongst your organisation’s decision-makers and the likely impact this will have, particularly on compliance.


  1. Information Held

Conduct an audit of the personal data your organisation holds, where it came from and with whom it is shared.


  1. Communicating Privacy Information

Review your existing privacy notices (or privacy policies) in light of GDPR changes.  Once implemented, the GDPR requires your organisation to explain its legal basis for processing, the retention period, and the right for data subjects to complain to the ICO. 


  1. Individuals’ Rights

Check your existing procedures cover how to respond to requests from data subjects seeking to exercise their GDPR rights.  While these rights are similar to those under the DPA, additional rights arise around profiling and data portability which you must take on board.


  1. Subject Access Requests

Update your organisation’s procedures for dealing with subject access requests to reflect changes introduced by the GDPR.


  1. Legal Basis for Processing

Assess the various types of data processing your organisation carries out to identify (and document) the legal basis for carrying out each type of processing.


  1. Consent

Review the way your organisation seeks, obtains and records consent for data processing and make any necessary changes to become GDPR-compliant. 


  1. Children

Consider adopting mechanisms to verify a person’s age, and always obtain a parent or guardian’s consent before processing children’s personal data – the GDPR introduces greater protection for children’s personal data. 


  1. Data Breaches

Check that you have correct procedures in place to detect, report and investigate breaches – the GDPR imposes a general obligation to notify where breaches occur.


  1. Data Protection by Design and Data Protection Impact Assessments

Adopt a privacy by design approach and data minimisation approach.  Your organisation should familiarise itself with ICO guidance, including on Privacy Impact Assessments – required to be  undertaken where high risk processing is involved.


  1. Data Protection Officers

Consider if you need to appoint a Data Protection Officer (DPO).  If your organisation is a public authority or its activities involve regular and systematic monitoring of data subjects on a large scale, you must appoint a DPO.  Even if you are not so required, consider appointing someone responsible for data protection compliance within your business.


  1. International

If your organisation operates internationally, consider which data protection supervisory authority applies to it under the GDPR’s new “one stop shop” approach to supervision. 


Given the clock is now ticking, you need to take action now to ensure your house is in order.  For help with preparing for the GDPR, please contact Anthony Lee or John Yates.

Further reading

DMH Stallard partner named 'Corporate Lawyer of the Year'

Blog, News & PR
Corporate Lawyer of the Year awarded to DMH Stallard partner at the Surrey Law Society Legal Awards 2021
Read more Read

Carer’s leave – a new right to be introduced

The Government has published its response to the consultation on carer’s leave - Abi Maino summarises the key point
Read more Read

Is the end in sight for upward-only rent reviews?

Blog, Legal Updates
Are upward only rent reviews set to become a thing of the past? Cheraine Williams reflects on a Private Member’s Bill going through the House
Read more Read

Is the end in sight for upward-only rent reviews?

Blog, Legal Updates
Are upward only rent reviews set to become a thing of the past? Cheraine Williams reflects on a Private Member’s Bill going through the House
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch