The 8 Key Components of GDPR Compliance

On May 25th, 2018, the two-year pre-implementation window expires and enforcement of the General Data Protection Regulation will commence.

In the United Kingdom, our Supervisory Authority (SA) is the Information Commissioner’s Office, although many organisations may fall under the additional jurisdiction of an SA in other European nations also, as is the case with the U.K. subsidiaries of foreign firms headquartered in Europe.


98% of organisations face censure or prosecution, with financial penalties of £17m or 4% of their last years’ turnover


As 2017 draws to a close, multiple surveys have established that our national readiness is appallingly low, with the most generous estimate suggesting compliance has been achieved in just 2% of organisations. Expressed differently, this is to say that 98% of organisations face censure or prosecution, with financial penalties of £17m or 4% of their last years’ turnover – whichever is the higher.

With the clock ticking towards the potential time-bomb of three million Data Subject Access Requests swamping businesses, and the inevitable fines and confusion which will surely result, this article explores the eight key elements of bringing your organisation from ‘moderate’ compliance with the 1998 Data Protection Act through to compliance with GDPR.


(1) Management Support

Whether yours is a high street estate agent, a school, charity, or a large business of 1,000’s of staff, the shareholders and staff alike are dependent upon the management to understand the GDPR and to offer active support in working towards compliance. It’s no use listening to  ‘the chap at the gym/pub’ who says GDPR is just ‘hype like Y2K’. That was a fear based on poor software, largely written in COBOL. GDPR is the law, and it is to be enforced with the same vigour as Health and Safety legislation.

The management team must lead by example, and once the core obligations are established (such as whether a DPO is required), budget will have to be allocated proportionate to the work to be undertaken. In many businesses, the I.T. manager will be insisting upon added budget to replace obsolete servers and routers, or entire operating systems. You will be faced with requests for improved anti-virus software, and perhaps Cloud-based software solutions too.

The Human Resources Director, or the staff who share that role in the smaller business, will need to find the time to review contracts, recruitment, third-party sharing agreements and much more besides. Expect requests for temporary staff or external consultants to help guide departments through the changes.

Remember too, that the sales department might be asking for a statement as to your compliance: government contracts demand Cyber Essentials certification, and many larger organisations will restrict their procurement to pnly those with documented GDPR compliance policies.

A final note here: GDPR compliance is not the same as adding ‘we are an Equal Opportunities Employer’ statement to your website. That’s mere fluff. Meaningless. The policies and procedures you must prepare are to be of such a standard that they can survive scrutiny in a court of law. Now, then, is not the time to dally.


(2) Proportionate Assessment

Approach GDPR compliance methodically: doing nothing is not an option, but nor is it possible to do everything all at once. This is why the bet guidance starts with a GDPR Readiness Assessment. While these can take many forms, the essence is that you create a benchmark against a set of objective criteria.

In all likelihood, your Readiness Assessment will be a start-stop process: as soon as you start you might discover that your Privacy Policy is hopelessly out-of-date (or missing altogether), and that you don’t have even such basics as a Data Protection Policy, or a Cookie Policy. You will divert to secure these, and then get back on track with your Readiness Assessment task.

Other assessments will follow. Some organisations may need just one, the so-called DPIA. This is formally know as a Data Protection Impact Assessment, a more stringent version of the Privacy Impact Assessment of the Data Protection Act. You may also be required to conduct a myriad of alternative assessments too. Some of these will require specialists from outside the organisation, and often external guidance is beneficial to the organisation.


(3) Policies and Procedures


(4) Information Technology


(5) Legal Considerations


(6) Process Improvement


(7) Education and Training


(8) Review and Monitor



Why not share this?