GDPR – ten key actions to take today

GDPR – ten key actions to take today

Our new course on the GDPR includes key actions and advice to help ensure you are compliant. Here are ten key recommendations taken from the course.

One: Identify all categories of data

Your organisation needs to identify all categories of data that are being held, the purpose for which the data is held and how it is being processed. By doing this the organisation will become familiar with the personal data ecosystem within the organisation.

Two: Record a clear description of data

The following questions should be asked of those people that are responsible for collating personal data.

  1. What process is it needed for? (eg Admissions, recruitment)
  2. How is security maintained?
  3. Who has access to the information?
  4. Who manages the data?
  5. Who are the data subjects?
  6. What is the source of the data?
  7. What software is used? (If any)
  8. Where does the data go inside the organisation?
  9. How is the data stored?
  10. Does the data leave the organisation?
  11. Does data flow outside of borders? (That is national borders to areas not covered by GDPR).

Three: Run a data audit

The ICO has several self-assessment checklists that you can use. On completion, a report will be created that gives clear indications of where your strengths and areas for improvement are.

Four: Appoint a Data Protection Officer (DPO)

The GDPR means that some organisations will need to appoint a Data Protection Officer. You will need to appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Five: Pay your data controller fee (if relevant)

Under the GDPR a data controller may be required to pay a fee to the ICO. The amount paid is based upon the relative risk of data processing, and the size and turnover of the organisation. There are some exceptions, including public authorities, charities and small occupational pension schemes. You can check what fees need to be paid by referring to the ICO website 

Six: Complete a Data Protection Impact Assessment (DPIA)

A DPIA is a process that helps identify and minimise the data protection risks of a project. A DPIA must be undertaken before you introduce any process which is likely to result in a high risk to individuals’ interests. 

It is good practice to carry out a DPIA if any data system is being introduced that involves using personal data in a way it has not been used before, or new data is being collected for a new purpose. When carrying out a DPIA it is important you consult your DPO (if you have one) or seek expert advice. 

Seven: Check your suppliers’ accreditation

 It is a criminal offence for any organisation to use any company for disposing of data, or for recycling IT equipment they no longer need, unless that organisation has the correct accreditation. 

Eight: Respect the new rights for ‘data subjects’

Anyone, anywhere, who has data held on them by an organisation is a data subject under the GDPR 2018, and everyone has more rights regarding how their data is held, used and disposed of.

Their rights are: 

  • The right to be informed 
  • The right of access
  • The right of rectification 
  • The right to erasure 
  • The right to restrict processing 
  • The right to data portability 
  • The right to object
  • Rights in relation to automated decision-making or profiling

Nine: Develop clear policies and protocols

Your organisation should have clear policies and protocols in place that you should follow and regularly review to ensure you are GDPR compliant. You should also know who the data protection officer is in your establishment (if you have one); they will be able to support you with any queries you may have with the GDPR and what to do in the event of a breach or subject access request.

Policies and procedures will vary within different organisations.

Ten: Stay calm

Remember, if your organisation is already complying with the Data Protection Act, then you are well on your way to being ready for the GDPR. Being methodical and keeping calm will help ensure you are in control of your data and working in line with the new regulation.

The above information has been taken from our latest GDPR course 'A Practical Guide to the GDPR'. The course outlines key elements of the General Data Protection Regulation in an organisational setting and will help you to understand:

  1. what personal data is and how it is used
  2. why there is a need for change in data protection
  3. the new GDPR
  4. new legal requirements
  5. data maps
  6. Impact Assessments
  7. disposing of data and recycling
  8. new rights for ‘data subjects’
  9. promoting good practice

The course concludes with ten thought-provoking practical scenarios that cover issues such as Confidential Waste, Data Storage, CCTV, encrypted emails and managing visitors, and provides possible solutions to those issues.

The course costs £20.00 and you can buy online today.


Get in touch to find out more

Return to news

Related articles:


A Practical Guide to the GDPR for Education

This course offers practical advice for staff working within an education setting that deal with personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.

Read more

A Practical Guide to the GDPR for Education

This course outlines key elements of the General Data Protection Regulation (GDPR) in an education setting and will help you to understand:

  • what personal data is
  • how personal data is used
  • why there is a need for a change in data protection
  • the new GDPR
  • new legal requirements
  • Privacy Impact Assessments
  • new rights for ‘data subjects’

Additional information


What is The GDPR?

The General Data Protection Regulation or GDPR is the new law on how organisations can use personal data.

Read more

Introduction to the GDPR

On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time.

Read more