Little Forest take a peek at GDPR

4 July 2017
by Billy Czajkowska

With May 2018 quickly approaching we wanted to see exactly how GDPR is going to affect not only us but our clients too.
GDPR will give customers the genuine ability to choose and control how organisations use their data, making processing transparent and accountable.
It’s not just about being GDPR compliant but about protecting your customers and building their confidence in your organisation through trust. It will become an essential staple in customer service which will benefit you by enhancing your reputation, increasing engagement and ultimately drive higher conversion rates.
GDPR is the result of needing to govern digital data protection under one consistent standard. The concept for gaining and processing consent under one law is not new. However, GDPR will set a higher standard which will require larger focused regulating and significantly more detail.
Data Protection (DP) authorities are currently developing guidelines which will be enforced by law from May next year. Don’t risk waiting until the last minute, get smart and get GDPR ready.

How the ICO recommend we prepare:


Make sure all decision makers and key people in your organisation are aware that the law is changing in May 2018. Use this lead in period to raise awareness of how the changes may affect the organisation.

Information You Hold

Complete a full organisation audit on what personal data you hold, where it came from and who you share it with.

Communicating Privacy Information

Complete a full review of your current privacy notices and timetable how to best implement any necessary changes before the deadline.

Individuals’ Rights

Investigate procedures to ensure they cover how you would delete personal data or provide data electronically. The main rights for individuals under the GDPR include:

  • Subject access
  • Have inaccuracies corrected
  • Have information erased  
  • Prevent direct marketing
  • Prevent automated decision-making and profiling
  • Data portability

Subject Access Requests

Plan how to handle requests within the new timescales. You will have just one month to comply, rather than the current 40 days. If you refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria. You should consider providing online access.

Legal Basis For Processing Personal Data

Identify your legal basis for carrying out data processing and document it. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.


Consent has to be verifiable, GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.


Systems must verify individuals’ ages and gather parental or guardian consent for the data processing activity. In short, if your organisation collects information about children in the UK this will probably be defined as anyone under 13, then you will need a parent or guardian’s consent in order to process their personal data lawfully.

Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. This will involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

DP by Design and DP Impact Assessments

Work out how to implement Privacy Impact Assessments (PIAs). You should start to assess the situations where it will be necessary to conduct a DPIA. You do not always have to carry out a PIA, a PIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals.

Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.


If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The lead authority is determined according to where your organisation has its main administration or where decisions about data processing are made.

This document is a summary of the 12 steps The Information Commissioner’s Office (ico) have created. To find out more go to;

Our Latest News