Are you prepared for the new General Data Protection Regulation?

The key steps to ensure your business is prepared.

On 25 May 2018, the new General Data Protection Regulation (GDPR) is set to take effect. Under the new rules, organisations which collect, store and process individuals' personal information will be subject to new obligations, with an increased emphasis on accountability and transparency. Here, we outline some key steps you should take to help ensure that your business is prepared.

Keep records relating to the personal information you hold

Businesses should make sure they have up-to-date records relating to the personal data that they hold. These records should include where the data came from and who it has been shared with.

Under the new GDPR, businesses must comply with the new 'accountability' principle, which outlines the need to demonstrate how they are abiding by the new data protection requirements.

Identify your lawful basis for processing personal information

Businesses must identify their lawful basis for processing activity within the GDPR, record this and update their privacy notices accordingly.

The GDPR will modify some individuals' rights, depending on a firm's lawful basis for processing personal data. If you use consent as your lawful basis for processing, clients will have a greater right to have their data deleted, if they so wish.

Your lawful basis will also have to be set out upon answering a subject access request. Businesses are advised to document their lawful basis so that they remain compliant with the accountability requirements of the GDPR.

Review your privacy notices

Businesses should review any privacy notices they have and, where necessary, make sure that these are amended in time for the implementation of the GDPR.

Under the new rules, businesses are required not only to inform individuals about their identity and how they intend to make use of the data, but also to explain their lawful basis for processing the information, as well as outlining their data retention periods. Businesses must also inform their clients that they have a right to complain to the Information Commissioner's Office (ICO) if they believe that there is an issue with the way in which their personal data is being handled.

Ensure adequate procedures are in place to prevent data breaches

Businesses are urged to make sure that adequate security systems are in place to detect, report and investigate any breaches.

The new GDPR will introduce a requirement for firms to report certain types of data breach to the ICO. The ICO must be notified if the data breach may result in a risk to individuals' rights and freedoms. Businesses will also be required to inform affected clients in cases where the breach results in a high risk to individuals' rights and freedoms.

Larger businesses may wish to create policies for handling data breaches, and communicate these to their employees.

Review how your business seeks and records consent

Businesses are advised to review how they seek, record and manage individuals' consent. Consent must be given freely, and should also be informed, unambiguous and verifiable.

The business must also provide simple ways for clients to withdraw their consent. 

Consider appointing a Data Protection Officer

Appointing a Data Protection Officer may help to ensure that your business complies with the stringent GDPR data protection rules.

Public authorities, organisations that process health records or criminal records and organisations that monitor individuals on a large scale are required to appoint a Data Protection Officer.

These are just some of the key measures you should consider to help ensure that your business is ready for the introduction of the new GDPR. Further information can be found on the ICO website.

Try a site search

About us

Ling Phipp was founded in 1974 and nowadays has two partners, six managers plus trainees and support staff.

We serve clients in the East Midlands and all over the UK. Our out-of-town location, with easy parking, close to the M1 junction 25 (Nottingham/Derby - A52), is very convenient.

Company details

0115 949 6838

Ling Phipp, Cliffe Hill House, 22-26 Nottingham Road, Stapleford, Nottingham NG9 8AA

© 2018 Ling Phipp. All rights reserved. We use cookies on this website, you can find more information about cookies here.

Registered to carry on audit work in the UK and Ireland and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales. Details about our audit registration can be viewed at, under reference number 6424855. This is the firm number provided by the Institute of Chartered Accountants in England and Wales.