GDPR – How to start

GDPR How to Start

What you need to be doing NOW….

So you’ve decided to do something about GDPR or need to work out where to start. Below we have some basic tips to help you keep in control. This outlines where to start which for many companies is the point they are struggling with, we will follow on later in more detail about how to continue the process ready for the 25th  May 2018.

To help with your journey on the GDPR, keep in mind the 3 x P’s to help keep you on track and appropriate.

  1. People: Staff, their awareness and training levels
  2. Process: The process, procedures, legal documents, T&C’s & contracts
  3. Product: The technology to help safeguard your data & business


The Starting Point

Consider and Review

Review the data that you have, in most companies we audit there is a high percentage of redundant data and people are often surprised where data has spread to. Consider the ways in which you are processing personal data and the systems you are using and understand what the risk is. With the rise in cloud services, many companies have CRM  and mailshot systems that are outside of the UK and EU. These need to be reviewed and the policies on the transfer of data considered to ensure that the legal requirements are met.

Review how you are protecting data and if your systems are adequate to do this.

  • DATA: From a data perspective, you need to know:
    • What category of data do you have
    • Where do you collect data and how
    • Where it is
    • Who has access
    • When was it accessed and by whom
    • How long do you need to keep it 
    • Do you have a lawful right to process this data
    • Does the data cross international borders 
  •  PEOPLE:

What level of security awareness do they have and has their training been scheduled keep them up to speed

  • PROCESS:

What processes do you have already and how do they need to change.  

Document all GDPR processes and procedures so you can demonstrate GDPR readiness, this includes having policies and procedures that say how you will deal with data and how the owners of that data can request access.

Do you have a requirement for a  Data Protection Officer (DPO)? Have you considered the risks to the data that you hold?  

Complete a risk assessment and create a Data Privacy Impact Assessments (DPIA) needed and to start considering privacy by design. Which means, make privacy a fundamental part of your business as usual.   

  • PRODUCT:

Look at technologies that have an appropriate layered protection approach and to help you monitor, maintain, track and recover from cyber-attacks and data breaches.  There are some  basic technologies that all business need to ensure that the level of protection is adequate and systems are up to date, GDPR is vague in how it defines this but in essence you need to ensure the systems are protected by current methods.

  • BACKUP: Make sure you have a robust backup that has been restore tested.
  • MONITORING: Monitor systems and ensure they are secured, if you need to audit access to data especially if you have any sensitive information.
  • ANTI VIRUS & Ransomware: Install software to give you protection from malicious data loss , ensure that it is up to date. 
  • PASSWORD VAULT: Secured access to systems with adequate security, this becomes difficult when we all have many passwords.
  • ONLINE EMAIL FILTERING: Automatically help block suspicious emails and links
  • ONLINE WEB FILTERING: Automatically help block suspicious websites


If you would like to speak to us about any of the points above and how they would fit in with your business, please feel to contact us on 023 92 482556.