GDPR — Here’s my take on it

I am sure you have read loads of posts, guides and tweets regarding the new laws coming in to place on the 25th of May 2018.

Here is how we are tackling this as an agency.

Don’t Panic!

The first thing I would say is DON’T PANIC!

There are lots of helpful resources out there to support you in preparing for the looming deadline. Take advantage of them.

I have spoken to many people recently and there seem to be 2 camps.

The Big Question

The big question everyone is asking…where do I start?

I have been attending events run by Law Point, within their Digital Law Scrum and…bacon series. They have been covering different aspects of GDPR as voted for by attendees.

The first session

The first session gave us a general overview of the regulation, guiding us through the maze that is GDPR. Talking about the biggest changes which will take effect. Such as:

  • It is still core principles that underpin how we collect, use, store and delete personal data
  • New rights for individuals and their data have been introduced
  • Details on the fines and that they are bigger
  • Stricter consent rules
  • Accountability
  • The difference between Processor and Controller

The second session

In preparation for the second session (which was fast approaching), I had been focused on working through an internal audit of our systems.

The second GDPR session really focused on and drilled into the differences between Data Controller and Data Processor.

Data Controller — Decides the purpose and way in which the data is processed

Data Processor — Processes data on behalf of the Controller as defined.

Tracey from Law Point demonstrated how to work out in which situations we (as a company) are Data Controllers and Data Processors.

Workflows Are Key

The simplest way to work this out is to break down scenarios into workflows. The two that I have completed below are basic ones just to give you an idea.

User Role Workflow

Employee Workflow

One thing to bear in mind which has not come up in the data flows so far is that a Data Controller can also pass data to another Data Controller.

When you look at the different people you interact with you can very easily identify the role your company plays using these workflows. We have found that we are a Data Controller when it comes to Employee personal data but when working with clients we are the Data Processor holding their end customer personal data in most cases.

How We Are Tackling This

Photo by Quino Al on Unsplash

Here is the plan we are working to:

  • Review and assess the ICO’s 12 steps to take - Preparing for the General Data Protection Regulation (GDPR)
  • Review the documents and templates on ICO’s website
  • Complete the review of all systems and remove any that are not required
  • Complete an internal audit to identify the data you have, where you got it and why you need it
  • Create GDPR data protection policy
  • Confirm and document the procedures that are in place to detect, report and investigate a breach
  • Review the ICO’s 12 steps to take to ensure these are all covered under our company policies

So How Do You Start?

To summarise here is where to get started:

  • Get a plan in place (The ICO has a questionnaire that will help you work out your to do list as a data controller and a data processor)
  • Remove what personal data you don’t need
  • Where possible limit access (Some of the high-profile cases of Data Breach have been through employee credentials being compromised)
  • Read up on GDPR at, this will help when you have lots of questions to answer
Photo by Nghia Le on Unsplash

Final Thoughts

Make sure you can show your working out, you can explain why you have the data and what you use it for and the protection you have in place.

I would like to say a big thank you to Tracey and the Team at Law Point.

Get in touch if you have any questions, I would be happy to answer them, if I can :-)

Like what you read? Give Claire Crombie a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.