How to prepare your company for GDPR

With the GDPR changes looming ahead in 2018, it is imperative that businesses learn what they need to do to protect themselves and their data. Here are some tips to help you prepare.

As a business, it is your responsibility to look after all forms of data that passes through your hands at all times. No matter what industry you are in, the connected, digital nature of todays business world means that millions of millions of bits of data are exchanged and transferred across the internet. Every minute, 640 terabytes of IP data is transferred across the globe, which works out as about fifteen times as much as’s entire database.

Think of how much time you spend on the internet in a working day and then think about how much of that time is spent interacting with other people, whether that be customers, clients, suppliers or even employees.

Information and data are the worlds most coveted currency right now; a fact made all the more prevalent in recent news, as major companies fall foul of ransomware attacks, data breaches and hacks, such as the current calamity faced by the NHS ‘WannaCry’ ransomware attack.

It is therefore imperative that you protect yourself and your data.

This becomes even more important next year as new regulation changes mean a breach to your company could do more damage than you may have originally anticipated. May 2018 sees the introduction of the governments General Data Protection Regulation (GDPR) in an attempt to fence off further digital attacks on the UK’s businesses and infrastructure.

GDPR will replace existing European data protection laws. Its purpose is to bring greater strength and consistency to the data protection given to individuals within the European Union (EU).

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.

You, as a business, will become fully responsible for the protection and safe-keeping of all personal data that might flow through the company. Failing to do so will result in a hefty fine of €20 million (£17 million) or 4 per cent of global turnover, whichever is highest.

Statistics show that you may not have known about that part. Staggeringly, 84 per cent of UK small business owners and 43 per cent of senior executives of large companies were unaware of the forthcoming General Data Protection Regulation, according to Shred-it’s seventh annual Security Tracker research.

In light of these results, here are some handy tips to make sure that your business is prepared for the eventual changes.

Start now!


By implementing data protection policies and solutions now, you will be in a much better position to achieve compliance when it takes effect. For many. Doing your research on what you need to do to ensure complete cover and investing in safeguards can help ease the process, rather than stressing next year.

Educate yourself and your staff

Part of the new regulations mean that the company, at every stage of the data handling process, is accountable for a breach or loss of data.

Hackers will look for weaknesses at every tier of a business in order to gain access to data and it can be incredibly easy to dupe an employee who is blissfully unaware of the dangers lurking online. An innocuous email or a poorly planned password can spell disaster and the only way to skirt this problem is to teach everyone within the company on exactly how to recognise the danger and the steps needed to resolve it.

86 per cent of businesses admit that if their CEO’s email was hacked they wouldn’t immediately know how to stop it; a worrying figure when you understand the prevalence of attacks, as a third of businesses expect to be attacked at some point this year.

Streamline your processes

If you are one of the many unfortunate souls who falls victim to a breach, speed and compliance are your only defence.

Data controllers must notify data protection authorities of any breach that risks the rights of individuals within 72 hours of their becoming aware of it and any affected individuals in the case of a high-risk breach as soon as possible. When a data processor discovers a breach, it is their responsibility to notify the controller.

While it may seem fatalistic to plan for the worst, ensuring that a procedure is in place that is known to all members of the company will mean that you can take the right steps to stay within the regulations and avoid the fine.

Do your research

Gartner recommends that organisations prioritise five specific actions to prepare for the impending requirements. They begin with the appointments of two roles dedicated specifically to data protection roles: one as a contact point for the data protection authority (DPA) and data subjects, and a data protection officer (DPO) to ensure processing operations are compliant.

The remaining recommendations are to demonstrate accountability for all processing activities transparently, check how data flows across different borders both within the EU and outside it, and prepare for data subjects to exercise their extended rights, in areas such as the right to be forgotten and to be informed of a data breach.

IBM also has a five step ‘battle plan’ that roughly follows similar advice, emphasising the need to ensure you plan out your process if a hacker strikes.

Keep calm and GDPR on

That age old adage has never been more relevant. It may seem daunting and scary when considering what could happen if you do lose data, but simple planing and maintaining of good data protection practice will see you through the worst.

Get clued up on what you can actively do to protect your business and get working on your GDPR plan.

Owen Gough

Owen Gough

Owen Gough is a reporter for He has a background in small business marketing strategies and is responsible for writing content on subjects ranging from small business finance to technology...

Related Topics