GDPR will come into effect in May 2018, replacing the Data Protection Act 1998 and dictate procedures and consequences surrounding data breaches and notification.  

So how will it impact your organization, and what are they key elements to consider before implementation?

Information you hold

All personal data you hold will need to be documented, including where the information came from and with whom it is shared. An audit of your information may be required to bring everything up to date.


Make sure that the key stakeholders within your organization are aware about the forthcoming regulation. It is vital that they understand the implication of GDPR and the deadlines surrounding the change.

Consent & Individual’s Rights

Your policies and procedures will need to be checked and updated to ensure that they cover all the rights of the individual, including the procedures in place to delete personal data. Another important factor is the requirement to provide data in electronically and in a commonly-used format.

Processing Personal Data

Ensure that your privacy policy and notices are up to date, and identify the lawful basis for your processing activities in the GDPR. Put a plan in place to make any changes before May 2018.

Access Rights

Ensure that you have policies and procedures in place to handle requests within the new timescales.

Breach Notifications

Ensure that you have robust procedures in place to detect and report any personal data breaches which may occur within the 72-hour timescale.

Children & Young People

It is important to ensure that correct systems are in place to verify the ages of individuals and where appropriate, ensure proper consent from a parent or guardian is obtained prior to any data processing activity.

Privacy by Design

Ensure that you are familiar with the ICO code of practice on Privacy Impact Assessments together with the latest guidance from the Article 29 Working Party.

Data Protection Officers

Check whether your organization and its activities require you to designate a Data Protection Officer. If so, this person will have responsibilities for data protection compliance and assess where this role will be within your organizational structure.  

Geographical Scope

If your organization operates in more than one EU member state, you should determine which authority is your lead data protection supervisory authority. Article 29 Working Party guidelines will provide more information.

To find out the document storage and secure shredding services that Chaffinch Document provides can help achieve compliance with the new regulation, particularly surrounding the retention and disposal of records, please call 01782 437131 or email This email address is being protected from spambots. You need JavaScript enabled to view it..