General Data Protection Regulation – start now or pay later

aat comment

The new GDPR regulations will come in force May 2018 and preparations should be undertaken, as non-compliance is not cheap. To quote Information Commissioner Elizabeth Denham, this is “the biggest change to data protection law for a generation”. The Information Commissioner’s Office (ico) is issuing information specifically aimed at small and medium sized (SME) organisations that will help achieve compliance.

‘Getting it right’ checklist

All organisations, whether large or small need to follow the eight data protection principles. These principles are the foundation of the regulations and state that personal data must be:

  • Fairly and lawfully processed
  • Processed for specified purposes
  • Adequate, relevant and not excessive
  • Accurate and, where necessary, kept up to date
  • Not kept for longer than is necessary
  • Processed in line with the rights of the individual
  • Kept secure
  • Not transferred to countries outside the European Economic Area unless the information is adequately protected

The rights of the individual are the focus of the GDPR, and those rights, from May 2018 will be enshrined in law. To help the typical SME comply with this law the Information Commissioner’s Office (ico) has produced a checklist that will help in achieving compliance and identify any areas that need improving.

The checklist covers three main areas of the organisation.

  1. Information held
  2. Staff awareness
  3. Training and internal processes

The checklist does not mean that compliance has been achieved, rather that the organisation is on the way to compliance.

Information held

The checklist prompts the user to consider the quality and quantity of the personal information held. We tend to check the initial data collected is accurate but how often is it reviewed? This question leads us to consider what information is held and whether it is held necessarily. How often is the information updated and what checks are in place to ensure accuracy.

Clients should be asked to verify their details, and confirm that permission is given for that information to be held and processed. Regular reviews of their data by clients will ensure the information is accurate and up to date.

Reviewing processes and procedures regarding information collection and control will help achieve compliance. And starting that process now will avoid any last minute panics.


The checklist here covers the area of staff behaviour, monitoring, and training.

Many organisations display staff information on their websites. But how many organisations actually ask the employee for their consent? There is often the assumption that staff are happy for the details to be displayed, but from May 2018 this can no longer be assumed and permission has to be actively sought and preferably, documented. Be aware though, that the employee can at any time ask for the information to be removed, so logs of where the information is held should be kept.

Are staff emails monitored? Have the staff been made aware of this? From May 2018 staff will need to know that their actions could be monitored while at work. And while on the subject of monitoring, is social media accessed for any staff behaviour that can be seen as detrimental to the reputation of the organisation? If so, then staff need to be informed, and policies written for them to read, understand and agree to.

Staff will need to be trained on how to handle personal information; when they can disclose it, and their responsibilities according to GDPR. Written procedures as well as training would be most effective, as memory fades and information is ‘lost’ in the day to day bustle of working life. The ico recommend that a webpage on GDPR, with links to all the relevant information, is made easily accessible for staff.

Minor breaches of personal information may at present be dealt with informally; the staff involved getting a ‘don’t do it again’ talk. From May 2018 there could be financial implications for the organisation, so train staff now.


The focus of the checklist here is:

  • Meeting GDPR requirements for dealing with requests
  • Steps to take if there is a data protection issue

If a client or employee requested copies of personal information held, are the processes clear enough so that compliance is guaranteed?

Is there a policy outlining the actions to take if a data protection issue arises? Does it outline the steps to take depending on the severity of the issue? Is there a feedback process whereby any future issues are avoided?

Regular review of procedures and processes, and consultation should start now.

It can be seen from the above that there is a lot of review work to do, possibly followed by the creation or re-writing of procedures. Starting now will lessen the anxiety if not the workload and will mean that compliance will be met, not hoped for.

The ‘Getting it right: small business checklist’ has identified three very important areas of the organisation. These three areas are some of the greatest assets an organisation has, or, when things go wrong, some of the most expensive liabilities. By focusing on what needs to be done now, it will increase the chances of compliance before May 2018.

Conforming to GDPR is not an option, and complacency in this area can only lead to penalties and fines.

Julie Hodgskin is a fellow member of AAT, runs a licensed accounting practice and is a technical materials author for CIPP.

Related articles