Countdown to GDPR: 5 practical things to do before 25th May

16 April 2018 by Becky Reid

It’s only a matter of weeks to go now until GDPR comes into force. Rather than talk about the principles of the regulation, which hopefully you are up to speed with now, I thought I could provide a checklist to help you focus on some practical actions you should make sure are implemented prior to 25th May.


1.  Review and revise your Data Protection Policy

Your Data Protection Policy is the internal document for your organisation. It should detail what your company processes and procedures are and effectively be the ‘go to’ document for your staff whenever they have a data protection query.

The Policy should be more than just a document that is drafted and then filed away never to be referred to.

Action required: Update your Policy to reflect procedures for data breaches; managing individuals’ rights; using your own device at work etc.

2.  Review your data

It’s time for a spring clean of your data. Remove old, out-of-date and no-longer-required data; old contacts no longer engaged with your organisation; and don’t forget to clean any server back-ups of this data too. Your organisation mind set should be about good quality data not quantity of data.

Re-clarify contact data if necessary. Do you have contacts in your system whose permission status you’re uncertain of? Beware. If you don’t have permission to email contacts, i.e. they haven’t necessarily opted in, then you can’t email them to re-clarify their consent. BUT you can ask them to confirm the data you have on record about them is up to date (providing them with an opportunity to be deleted) and invite them to subscribe to communications at the same time.

Don’t forget to look at employee, supplier and partner data too. It’s not just about your members.

Action required: safely delete and clean your old, out-of-date data

3.  Gain GDPR-compliance assurances from third-parties

Under GDPR you have a responsibility to make sure that any third-party systems you use for storing, transferring or processing data are also GDPR compliant. Think CRM systems (Microsoft Dynamics), cloud storage (Microsoft Azure), email marketing platforms (dotmailer), website CMS systems (Wordpress, Drupal, Kentico, Preside etc.), online payment platforms and shopping carts (Roman Cart, PayPal etc.)... the list goes on.

The best way to show that you have taken steps to ensure your third-party partners are GDPR-compliant also is to get a statement from them. You will find that everyone is prepared for this and should be able to either send you something or provide you with a link to the appropriate place online.

Action required: Gather and store assurances (or links to where these can be found online) in an appendix to your updated Data Protection Policy

4.  Make sure your website is compliant

One of the most popular ways of gathering data is via your website and, if you are using consent as your lawful basis of processing, you need to provide people with all the information they need in order to make an informed decision about whether they wish to share their data with you.

That means making sure people can easily find your privacy policy, which lets individuals know why you collect data, what you do with it, what their rights are and how they can opt out when they want.

That also means making sure your cookie policy and cookie notice (that you have been needing to provide under existing data protection regulations) are also up to date and easy to find online.

Finally, is your website secure? Last year Google started to rank sites down that didn’t have an SSL certificate set up on their site. Basically, are your web pages http:// or https://? They should be https:// for extra security to visitors whilst on your site and to make sure you aren’t penalised in search engine page results. You can purchase one from whoever provides your domain registration and then your web agency / IT dept can set it up on the site.

Action required: Review and update your privacy and cookie policies and check you have a cookie notice

Action required: check you have an SSL certificate implemented across your website(s)

5.  Train your teams

With all this change to policies it’s important to make sure your staff know what’s happening, from several points of view. They need to know what the new policies are so:

  • They can make sure they comply when managing and handling data
  • They know what to do when an individual exercises one of their data protection rights, for example, requesting to be removed from your databases or requesting to move their data to another organisation
  • They can be reassured and confident of how you are managing their own data (because GDPR isn’t just relevant to customer data; it also relates to employee data)

Set up some training sessions for staff, explaining in simple terms what’s changed and what the new procedures are. Also, make sure you include managing data in your new employee induction process.

Action required: arrange staff training sessions

Action required: update your employee induction process

GDPR shouldn’t be a cause for panic but, equally, you can’t just ignore the fact it’s coming into force. With these practical steps you will be making some good progress into making sure you are compliant as well as reassuring your members, suppliers, employees and stakeholders that you are ready for 25th May.