Final GDPR checks

It’s not too late...

The 25 May 2018 is fast approaching so this is a reminder of what you should be doing with links to further details. You may also find our GDPR hub and the ICO Guide to the GDPRIf you require any further assistance please contact our Technical Advisory Service.

Don’t Panic

It’s not too late to get started and remember not everything has to be completed by 25 May 2018 but you must have made a start. So our advice is to PREPARE, PROTECT and REVIEW.


  1. Appoint someone senior to oversee the process. It is not just an IT matter, so it essential that a senior member of staff such as a director, partner or senior manager takes responsibility for overseeing the process and ensure compliance on an ongoing basis. Certain organisations will need to appoint a Data Protection Officer but for many a data protection manager of Head of Privacy will suffice.
  2. Map your data. This means you need to know what data you hold, where it is, why you need it, who else has access to it, and for how long you need to hold it. The ICO has published a template to help you do this.
  3. Check your Status. Are you a data controller or a data processor? The GDPR will not change this but it does change the responsibilities of each so you need to be sure you know what your new responsibilities are.
  4. Register with the ICO. If you haven’t already done so and you are a data controller. Most accountancy firms will be data controllers with regard to firm data (ie employee personal data) and with regard to most client service offerings.
  5. Draft data protection policies and procedures. The GDPR introduces the principle of ‘accountability’ – this means all organisations must not only ensure they are compliant with GDPR but prove this too. The easiest way is to do this to document your policies. See practice Wire article
  6. Devise and test your breach response plan. It is unlikely that you will never suffer a breach but under the GDPR you only have a short time frame in which to report it to the ICO. So you need to know in advance who will be the point of contact with the ICO, who will do what and how to manage requests for information from staff, clients or the media.
  7. Train staff. Not all staff will need to understand the GDPR in its entirety but all staff should at least be aware that data protection is an issue for everyone. Most importantly they need to know how to recognise a potential breach and how to report it.


Review Cyber Security.

The best way to prevent breaches (and therefore fines and sanctions) is to minimise their occurrence, so a review of your cyber security should be an essential part of your GDPR readiness programme. It does not have to be an expensive revamp, it can just be a refresh tailored in line with the complexity of your organisation and IT set-up. The ICO has also said that if you do suffer a breach they will use as a mitigating circumstance the level of cyber security in place and whether it is appropriate for an organisation of your size and the nature of your business, so again it is important for you to make sure your cyber security is ‘fit for purpose’.

The following is some tips on what you should be doing with regard to both digital data and paper records

Digital Data

Physical Security: make sure all hardware is stored securely , homeworkers, BYOD

Technological : encryption, firewalls, portals, passwords, VPN

Paper Records – now included if part of a ‘relevant filing system’

Physical Security: filing cabinets locked, access limited to only relevant personnel, clean desks

Disposal: shredded or other secure means?


  1. Lawful Basis for Processing. Having mapped your data (see above) you can now endure that you have lawful basis for processing. This needs to be documented and the data subject informed.
  2. Client Data
    1. Review consent for any marketing activities to clients and /or other contacts
    2. Update engagement letters – to reflect the change in applicable legislation – see ICAEW guidance and templates
    3. Update privacy notices – see ICAEW guidance and template
    4. Review rights of individuals that may apply and ensure have polices in place to meet these rights
  3. Firm data
    1. Review rights of individuals that may apply and ensure have polices in place to meet these rights
    2. Update employment contracts ( as can no longer use ‘consent ‘ as the lawful basis for processing the personal data of your employees)

 Our GDPR hub is here: