GDPR Compliance – perhaps not as daunting as you’d think

11 Dec 2017

The most common response we hear when talking with clients about implementing the GDPR is how scary or ‘daunting’ the process towards compliance seems. The temptation is to put it to one side and do nothing, maybe hoping it will go away.

Unfortunately, (regardless of what happens with Brexit) it will not be going away, so doing nothing is not a practical option. In fact businesses that act sooner may see compliance offering a competitive advantage as well as mitigating risk.

Businesses which have been working on a compliance programme for some time will have a reasonable expectation of being 100% compliant by 25 May 2018. For businesses which have yet to begin or are only just starting their programmes, however, the practical advice is that remedial action doesn’t have to be completed all at once and the process can be scheduled over a period of several months. The deliverable by 25 May should be an ability to demonstrate that you have audited your data processes and procedures, and have a clear plan in operation that is moving the business towards full compliance. If a plan is in place and regular, achievable actions undertaken, this is acceptable to the ICO. Little and often is the key, allowing the business the opportunity to allocate both resource and budget to achieving compliance alongside Business as Usual activity.

Once the nettle of starting a compliance programme has finally been grasped, the task may not be as daunting as you think. It can be broken down into three steps.

Step 1

The first step in putting together a plan to achieve GDPR compliance is to undertake a data audit and risk assessment. This allows you to gauge how far you are from compliance and what needs putting in place, redrafting or updating. As part of this you should also carry out a data mapping exercise, identifying where in the business personal data is collected and held; what processing is undertaken, by whom and where; what security measures are applied; what purposes the data is used for; what is the legal basis for processing; and how long the data is held for.

So what exactly is involved in an audit? While there is guidance on the ICO website for a business which may want to do this itself, to limit impact to your business activity it may make commercial sense to engage a specialist legal adviser to produce a detailed report on your current status and guide you through the compliance process.

The scale and scope of the audit will depend on the size and complexity of your organisation and how you handle data. To start the process, we will provide you with a self-assessment form to ascertain your current policies and procedures in respect of data protection and security. It includes sections on management, staff, security, data sharing, storage and destruction. We will also ask you to provide copies of all relevant policies and documentation.

Step 2

After reviewing the responses to the self-assessment form we will arrange a meeting with key representatives from your organisation, at your premises, for a more detailed discussion. This may include members of your IT, marketing, CRM, HR and legal teams, as well as senior management. We can also recommend or work alongside your preferred IT Security provider, who will be able to advise you on how best to avoid breaches in cyber security.

Once we have gathered all the necessary information and relevant documentation, we will produce either a brief summary or a detailed audit and risk assessment report (as you prefer), which will provide a graded and prioritised set of specific recommendations to move you towards compliance.

Step 3

Once the report has been agreed with you we can guide and work with you to put these recommendations into place. We will provide a prioritised time and costs schedule for each action that needs addressing, however, the degree of our involvement in the implementation is entirely up to you. Following the completion of the process we can work with you to continually review and update your policies, documentation and procedures where necessary.

Click here to view our infographic showing the data audit and risk assessment process. 

Our dedicated CB Comply team has substantial experience working with SMEs on their data protection requirements. We provide a range of advice and assistance to support you in identifying and addressing the compliance challenges posed by the GDPR. For further information or to discuss your requirements please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

Additional information