image of a keyboard with a fingerprint on one of the keyboards.

GDPR Preparation – Protection, Legal Basis and  Consent – Stage 2

In Stage 1 of GDPR Preparation we covered, Awareness, Assessing Data and Creating a Data Register.
By this stage, you will have a solid understanding of what kind of data your company handles, how
much you store and how it is stored. You have also started to formalise this information in your
Data Register. Here’s what comes next:

1. Put protection in place.

Once you have begun to get a clearer picture of the what data you hold and where it is, it’s
time to put security in place to protect it. Start with a data protection policy. These are some
of the things you should be doing:

  • Keep anti-virus software up to date
  • Make sure you have a strong firewall and secure wifi
  • Make sure passwords are strong and change them regularly
  • Ensure employees take care when downloading software
  • Be extra careful that laptops and mobiles are secure
  • Use shredders and lock away hard copies of sensitive information
  • Have a Disaster Recovery Plan

2. Lawful Basis to Process

To be compliant, you are required to ascertain your lawful basis for processing personal
data. Identify the lawful basis for your processing activity under GDPR, document it to prove
compliance and update your privacy notice to explain it.

3. Get consent in order.

There’s quite a lot to unpack here. First, review how you seek, record and manage consent
and whether you need to make any changes.

  • Consent should ensure a positive opt-in (no pre-ticked boxes), be separate from your T&C’s
    and should be in clear and easy to understand language.
  • As outlined above, it should be clear why you are processing data, whether it will be shared
    and how the client can request data erasure.
  • Refresh existing consents now, if they don’t meet the GDPR standard.
  • If it is relevant to your business model, should start thinking now about whether you need to
    put systems in place to for processing information about children; verify individuals’ ages
    and obtain parental or guardian consent for any data processing activity.

You are now most of the way towards being GDPR compliant, watch out for our next and final blog on the series.



GDPR for Small SME’s – Stage 1

GDPR Guidelines – 8 Points You Need to Know

How to Create a Disaster Recovery Plan (DRP)

How to prepare for Ransomware



Share this post