Preparing for GDPR: Practical steps companies can take

With May 2018’s General Data Protection Regulation (GDPR) in sight, The Lead Agency’s compliance manager Kathy Fleming discusses how companies can prepare.


Under GDPR, companies will need to be able to demonstrate their compliance (referred to as ‘accountability’).

The first step is to review its current processes, procedures and policies so they can be benchmarked against the requirements of GDPR. This will help companies to identify where small improvements are needed as well as bigger gaps that require more time and attention.

Third-parties and data

Make sure third-party companies who process data on your behalf are compliant. Ensure all written contracts include your instructions and expectations for them to provide a fully compliant service.

The accountability still sits with your company but ensuring your partners meet your requirements will provide peace of mind.

How long to keep personal data

If you’re storing personal data, create a retention schedule and makes sure that you don’t keep the data longer than you need to. Just because storage space is cheap doesn’t mean to say that you can keep it forever.

Make a record of the data processing activities that your business is responsible for. Examples include the purposes of processing, a description of the categories of the individuals, categories of personal data, recipients of personal data, retention schedules and the security measures that are in place.

These steps will help you to demonstrate your compliance and accountability.

Customer consent

GDPR will have stricter standards for consent than current data protection legislation. Among the requirements will be making it as easy for people to withdraw consent as it is to provide it.

If you manage an online service that lets people log-in to a personal account, consider including the option to withdraw consent within their account preferences.

Conditions for processing

Make sure you’re clear about the legitimate and justifiable reason for using an individual’s personal data. The reason will dictate some the rights that can be exercised by the individuals.

Data Portability, for example, is a new right that allows individuals (in certain circumstances) to receive and port their personal data that they have provided to the company in ‘commonly used, machine readable’ format. It gives the individual the ability to obtain and reuse their data for their own purposes and across different services.

Right to be forgotten

If a customer exercises their ‘Right to be Forgotten’, do the systems you use allow you to ‘erase’ data? If not, but the data is no longer of any use and there is no legitimate reason to keep it, you’ll have to find a way of anonymising it.

Privacy notices

Check that Privacy Notices are clear, concise, transparent and unambiguous. Companies will be expected to provide a lot more information to customers, so the best way to approach this is by taking a layered approach.

Rather than overwhelming people with information , companies can provide the key privacy information immediately and at short notice but have more detailed information available for those that want it.

Security measures

Think about basic security measures to keep data safe. Many are easy to implement. Simple solutions could include buying a good standard shredder to dispose of confidential waste or using screen locks after a certain amount of inactivity to ensure information can’t be accessed when people aren’t sat at their computers.

Nature of the business

There are many other aspects of GDPR that companies will need to consider depending on the nature of their business and extent of the service they provide. These include things such as territorial scope, processing involving children’s data, definitions of ‘personal data’ and ‘sensitive personal data’ (special categories), breach notification, profiling, appointment of a DPO etc.

If lead generation is among your considerations, speak to our team today to discuss your approach.