GDPR Crib Sheet: 10 Practical Tips


Contributor: Alex McPherson, Co-Founder and Partner of Ignition Law

On 25 May 2018 the General Data Protection Regulation (“GDPR”) comes into effect, impacting businesses from dental clinics to streaming services by imposing obligations on all companies that process and/or hold the personal data of persons residing in the European Union. With fines for violation potentially reaching €20 million (or 4% of annual turnover), and supervisory authorities with extensive investigative powers, ensuring compliance with the GDPR is a key consideration when launching or scaling a business. The checklist below contains the principle actions to consider.

  1. Understand what “personal data” is, and evaluate how much is needed

The GDPR definition of “personal data” is broad, comprising any information relating to a natural person that can be used to directly or indirectly identify them. Examples include a name, a photo, a computer IP address, and posts on a social network.

New enterprises should discuss and document what personal data it is necessary to collect for business operations, while existing organisations should conduct an audit of the data they already hold. Any data that is not required should be deleted. No data should be kept for longer than necessary.

  1. Instil a culture of respect for personal data 

Protecting private data should be the default position of your company. All staff should receive training on the requirements of the GDPR. New and early-stage businesses are unlikely to require a Data Protection Officer (“DPO”) (unless conducting large-scale processing of certain sensitive data) but it is prudent to designate a person within your organisation as in charge of data protection.

  1. Understand your grounds for processing data

You must have a lawful ground for processing personal data. These include processing data in your legitimate interests; processing data to give effect to a contract; processing data in accordance with your legal obligations; and processing data for which you’ve been given consent. This means you do not need consent for processing every piece of personal data you hold but be careful – if the grounds you rely on is that it’s in your legitimate interests you must weigh this up against the data subjects rights every time you process their data.

  1. Design measures to obtain appropriate consent 

Under the GDPR, consent in respect of personal data is only valid if it is freely given, specific, informed and unambiguous. Companies can no longer bury passive consent in complex terms and conditions. In order to send marketing materials to previous customers, for example, a company should obtain positive consent in a clear and intelligible manner, such as an “opt in” tick box. New consent should be obtained for each new use of the data, and it should be as easy to withdraw consent as to give it. There are further requirements for companies processing children’s data.

  1. Include appropriate provisions in employment/consultant contracts

It is not only customers whose personal data must be protected, but that of employees/consultants, too. Such personnel should also undertake to adhere to the provisions of the GDPR. Contracts should be updated to ensure employees and contractors process client data in accordance with company policies. You should also inform employees that you will be processing their personal data as part of the employment relationship.

  1. Introduce data-security measures and breach-response procedures

Store personal data in a secure location with password protection. Have a process in place to facilitate the identification, escalation, management, and reporting if necessary, of security breaches.

  1. Draft appropriate policies 

Companies should draw up a privacy policy, a data breach policy and appropriate terms and conditions. The privacy policy should detail what data will be held, the legal basis for holding it, the purpose for which it will be used, and retention policies/periods. As the GDPR grants citizens the “right to be forgotten”, the privacy policy should explain how to discover what data is currently being held and request a deletion. There is also a list of rights given to data subjects in the GDPR, which privacy notices should explain.

  1. Develop procedures for dealing with subject access requests 

Upon request by a data subject, companies have one month to provide, free of charge, a copy of the relevant personal data they are processing. Have a procedure in place for expediently dealing with such requests.

  1. Take appropriate measures in respect of third-parties and partner organisations 

Discuss data-protection with partner organisations. Consider carefully who you will share data with, ensuring they can guarantee compliance with the GDPR. Ensure all contracts and data processing agreements contain provisions to protect personal data.

  1. Demonstrate ongoing compliance and accountability

Ensure thorough record-keeping, monitoring, and regular reviews of current processes. Keep up-to-date with developments from the UK data regulator the Information Commissioner’s Office” at ico.org.uk/for-organisations

Ignition Law is a unique entrepreneurial law firm providing specialist corporate, commercial and employment advice to start-ups, scale-ups and entrepreneurs. For queries, you can email info@ignition.law