In a previous article, we explained that GDPR relates to the protection of data relating to EU citizens and residents and this not only applies to electronic data, but also physical data (i.e. paper documents and files).

You should now have begun to review your data, your processes and who has access to that data so that you can establish polices for handling, processing and retaining the data.

In this article, we look in more detail at what data needs to be identified and why….


Customers and contacts

You may think an email address, mobile phone number or similar details for an individual within a company is not personal data because it belongs to that company.  However, this is not true…where data helps in identifying an individual (even in conjunction with other data) it becomes personal data under the legislation.

As a result, that data falls under GDPR legislation.

Of course, if you deal with individuals rather than businesses, then all your data will be personal.


Don’t forget your employee data, including HR records, is personal data under GDPR and needs the same treatment, with appropriate policies and security.


Ignoring the data needed to service customers, the most common area of concern is the collation of data for marketing purposes.

You will need to seek positive confirmation of “opt-in” from those individuals.  That means you need them to tick a box or answer yes to the question “would you like to receive marketing from us”.  Pre-filled forms or automatically including the data in your marketing database with an opt-out tick box on future marketing literature is not allowed.

Many companies will be seeking that confirmation now, before the act of asking for permission becomes a potential breach!


The key policies we are concentrating on at RG, are data retention, data access, the “right to be forgotten” and our breaches policies [if we ever have one!].

You may only have 7 weeks to go, but getting these policies in place is a major step forward for most businesses in demonstrating a conscientious approach to complying with the legislation.

It is all very well creating policies, but if those who have access to your data don’t even know about them, they are useless!  That might include 3rd parties, contractors and the like.  You may even need to ask your suppliers to confirm they are compliant where they have access to or process data on your behalf.


There are thousands of businesses out there which won’t be completely ready for GDPR by 25 May 2018.  Many believe demonstrating steps taken so far, ensuring data is secure and documenting what has been done and will be done is a good enough starting point and the ICO (Information Commissioner’s Office) is unlikely to take action against such organisations.

Concentrate on those areas that present the biggest reputational risk – loss of customer or employee data or being reported for non-compliance.

In reality, the real risk, for the average business that does not handle huge quantities of sensitive personal data, is likely to be from aggrieved employees/customers/contacts, so in the early days, make sure you act on any data requests or complaints quickly and efficiently…and carefully document them.