• General Data Protection Regulations

  • General Data Protection Regulations

    General Data Protection Regulations or GDPR for short!

    You may think that data protection regulations isn’t your department’s concern. But these regulations actually affect every department that uses an individual’s data, whether it’s to send marketing communications or to manage customers’ payments.

    If you work in business it is likely you will manage customer records. All data relating to identifiable individuals, including financial data, is covered by the current Data protection Act 1988 but this regulation will be superseded by the General Data Protection Regulation (GDPR) on 25 May 2018.

    The introduction of GDPR will mean a number of changes in how businesses operating throughout the EU manage data.

    What are the key points of GDPR?

    Here’s a summary of some of the key changes:


    If your organisation is a public authority, processes large amounts of data or carries out large-scale monitoring of individuals then the company will need to appoint a Data Protection Officer
    If the organisation processes high risk or sensitive data you may need to conduct a data privacy impact assessment

    Consent and opt-in

    The organisation needs to prove that it is ‘lawfully processing’ contact data; this ‘lawful processing’ needs to be documented
    Lawful processing is likely to be either consent (the contact opting in to their data being used) or for the necessary performance of a contract. Consent is going to be the most commonly used
    Consent must be considered ‘granular’, i.e. people can opt in to certain things but not others
    With regards to existing data, the company will need to refresh consent if there is no record of it currently or where none has been gained in the past
    There are a variety of ways you can gain consent but pre-checked boxes are no longer allowed

    Individual’s rights

    Individuals have more rights under GDPR
    Existing (but amended) rights include the right to access their data and the right to have data corrected
    New rights include the right to be forgotten, the right to port their data to another company and the right to restrict the processing of their data for automated profiling purposes

    Company policies

    Your internal data protection policy will need updating to include all of the above
    It also needs to include a policy of data breach detection, reporting and investigation
    Your cookie policy needs to include any online unique identifiers used, for example Google Analytics cookies
    Ideally, your company should map data journeys to fully understand where data goes in the company, when permission is gained and what protection exists at each stage. Your consent notices and privacy policy will also need updating

    What should I be doing?

    You should get involved in any action groups that have been set up in your organisation in order to make sure the accounting function is suitably considered in any audits and data mapping. You will also need to be aware of how any proposed changes in data policy will affect how you work with and manage data passing through your department.

    Don’t leave it until the last minute, get to grips with GDPR.

    For more information visit the ICO website.