GDPR – where to start?

There are many sources of information out there, in fact too many. So we all know that this is coming in 2018. We know it’s something to do with personal data that applies to all businesses despite Brexit. We also know there are hefty fines for non conformance. It is useful to start at the very beginning and define what personal data is. In summary, it is any information held on a person. Examples include; Name, Email address, UTR, DOB and Nation Insurance number.

GDPR then goes on to explain  what is referred to as sensitive data. This includes; ethnic information, political, religious beliefs, Trade Union information, health information, sexual preferences and anything relating to children. It is this data businesses must be especially careful with.

Before you get into the nitty gritty of what you have to do, it is worthwhile doing a data audit. The following table may assist you in working out what data your business deals with, where it it, why you have it and whether you need it. When assessing the reason the data is held and being processed, there are these main reasons:

Lawfulness of processing conditions

1.  Consent of the data subject

2. Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

3. Processing is necessary for compliance with a legal obligation

4. Processing is necessary to protect the vital interests of a data subject or another person

5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

6. Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

We would suggest giving the below table some thought for step one. This will give you an idea of the level of data you need to consider. Watch this space for the next step or read this simple guide for more information.

Type of record

Data held

Reason data held 

Still needed?

Is it safe?

Changes needed

Client & Ex Client Records






Employee, Ex-employee & canditates






Client payment information





















Loading Quotes...