Preparing for GDPR

Change is afoot, says Foot Anstey senior associate Alexandra Leonidou. Are you ready for the General Data Protection Regulation (GDPR)?

Alex Leonidou

Advances in technology along with high profile breaches have meant that you would be hard pushed to find a business not thinking about data protection. However, with less than 18 months to go until the largest shake up in European data protection regulation in 20 years, could businesses be doing more to get prepared?

The GDPR will introduce a number of new concepts and significantly raise the bar across the board, although barely any of the fundamental elements of today’s laws have been scrapped. One of the most important changes for businesses to note is that the potential financial penalties have substantially increased – under the new laws fines could be up to the greater of €20 million or 4% of global annual turnover. Furthermore the GDPR takes a risk-based approach, which means that all businesses, no matter what size, will have to address their current levels of compliance.

Certain businesses, such as those with a significant digital presence (retailers or online publishers for example) or those that handle sensitive information (such as clinical data) or who undertake sensitive practices (for example profiling or making automated decisions about individuals) will inevitably have an inherently higher risk profile. Even businesses that don’t deal with consumer data as part of their core business will need to think about the GDPR in the context of their HR data.

The regulation will take effect on 25 May 2018, with Brexit making no difference to this timeframe (as confirmed recently by the ICO, the UK’s data protection regulator), and businesses can and should be preparing now so that they are on the front foot. The most important things to consider at the early stages of your GDPR preparations are:

  • Accountability: Who are you going to put in charge of leading this area? Are they sufficiently knowledgeable? Are they sufficiently resourced?  Are the right reporting lines in place?
  • Awareness: Who needs to know about the GDPR? This isn’t just something for IT or data officers. Boards should be aware of the risks, HR teams need to think about employee data and getting GDPR compliance right will be critical for marketing and communications teams’ activity
  • Audit: What data do you have and where is it stored? What are you doing with it? Do any third parties process the data? Conduct a data mapping exercise and review your notices and consents.
  • Assess: What are the gaps revealed by your audit? Where are the easy wins? Where are the opportunities? Prioritise accordingly.

The final thing to remember is that you can drive engagement by making this more than just an exercise in compliance. Today’s technologies and marketing practices mean that there are endless opportunities to extract value from your data – getting ready for the GDPR may actually facilitate this and will lower the risk of doing so.

Alexandra Leonidou, Senior Associate, at Foot Anstey. Alex recently joined Foot Anstey from an in-house role at Warner Bros. Entertainment and is a specialist in data protection. For more information on how you can prepare for the GDPR or to discuss data protection further please contact


  1. I saw this article come up a couple of days ago on other news outlets so it’s good to see this getting some awareness in Cornwall.

    A question that concerns me is that given the vast majority of businesses in the UK are small with no specialist IT, Legal or HR functions – how are they expected to meet the new requirements? A typical scenario could be:

    Audit – As the business owner I’ll do it myself as I have no-one else to pass this to.
    Awareness – I don’t have HR or IT teams. It’s just the 10 of us here, but I’ll let them know anyway.
    Audit – We have some computers and some stuff on paper. I think Bob might have put something on Dropbox. . . Btw What is data mapping. . . .
    Assess – I’m really worried as I’m not sure what I should be assessing or how. . . .

    Is the answer for business to pay £800-£1000 per day to consultants to produce a report for them?? For medium and large business who have the finances this might be the solution. For small business quicker, automated, more agile and lower cost solutions are needed.

    It will be interesting to watch this space and see how the GDPR market develops during 2017 to support the needs of small business.

Comments are closed.