How to comply with the UK’s data protection rules (GDPR): your step-by-step guide

This guide contains our recommended recipe for data-handling success. It sets out the essential background and the vital steps you can take to ensure that you’re complying with the UK’s exacting data protection regime.

Our materials and supporting videos will help you to do this quickly and simply. You don’t need any prior knowledge of law or data protection practices. We’ll assume that you’ve had no prior exposure to this topic, other than having first read our introductory guide to what the UK data protection rules mean for small businesses, which we recommend, since it will help you identify the different types of data that you may be collecting and handling, and it contains helpful explanatory context for why, and how, you’re required to do certain things.

Along the way, we’ll showcase some great tools and techniques, to make the process a whole lot easier and clearer.

If you are familiar with the UK’s data protection regime, this guide’s a great refresher and cross-check on what you’ve already got in place. If you’re not already using them, you may also find the tools and techniques that we use with our experts, helpful, stress-relieving and time-saving.

---

By the time you’ve taken the recommended steps in this ‘recipe’-format guide, you’ll have:

The ingredients that you need to help run your business:

• compliantly, avoiding all the downsides of non-compliance (we get into these in more detail below)
• with customer and wider stakeholder confidence in your competence as a business owner/manager, all of which is reputation and trust-enhancing and that typically opens up wider business opportunities…

Taken the essential steps to help achieve that compliance and confidence

A very clear, helpfully detailed map of the data coming into and being handled by your business, what it is, where it is requested, received, used and/or stored, and whether you have the right permission to be doing any of those actions in relation to it. We help to make this bit easier than you’d imagine.

Identified your status in relation to that personal data: meaning you’ll know whether, in addition to being a data controller of personal data relating to your staff, customers and other contacts (almost all of us are), you might also be a data processor of personal data that is lawfully shared with you by other businesses (if you’re a payroll provider, events organiser, email marketing service business, for example, you may well be a processor as well as a data controller)

Created all the vital documentation: meaning the data-protection and data-handling policies and the data privacy notices that you need to help your business be compliant by making them available to your staff and other relevant contacts who need to comply with and/or understand how you’re operating.

These materials will be essential for anyone handling any personal data and for anyone with, for example, a website or online presence (whether you’re selling or not), who is trading in any manner with customers of any description (but especially consumers), and/or who is providing services to other businesses who provide access to customers or other data that contains personal data.

Thorough data recording and retention/deletion processes in place: including great governance (including monitoring) practices.

Confidence: that you know what data compliance means for you, together with a means by which to train others coming into, or working with, your business, so they too are equally empowered to play their part. You’ll also be able to demonstrate a responsible approach to data protection compliance which meets the accountability objectives and requirements of the UK’s data protection regime.

As a very first step, you need to understand what data, including personal data is coming into your business (and how it is coming into your business), being used by it, being shared by it, and/or being stored (or removed) by it.

Pulling this picture together is called ‘data-mapping’, or sometimes ‘data-auditing’.

This might sound daunting. It needn’t be. We recommend a straightforward landscape-listing tool to help you conduct this exercise.

What you’re doing here is segmenting your business into its core activities/functions, and then examining each of them in a bit more detail. By doing so, you can pull in relevant members of your different teams/functions to help you map out the data held and used.

---

Carrying out this exercise will not only make every other aspect of compliance far easier, it is also something that can be produced in evidence of your compliance, if you’re ever called on by the Information Commissioner’s Office, or a court, to do so. The UK rules include an obligation to evidence that you’ve taken sensible and robust steps to be compliant (called the ‘accountability principle’ in the rules).

Not only will it help with your compliance now, but it will also help with ensuring compliance in the future as it is something which you can use to look back at and update as your business grows and makes new developments. With each such development, these can be added to your pre-existing audit and can help you to work out what else needs to be considered from a data protection point of view with these new developments.

Once you’ve mapped out your own data landscape, you’ll be able to take a more informed and objective look at how much personal data you’ve got, what you’re doing with it and importantly, whether you do in fact need it all.

UK law requires you to limit your activities with personal data to the minimum necessary for the purposes for which that personal data was obtained, and to keep that personal data for no longer than is strictly necessary.

So if you discover at this stage, that you’ve got more personal data than you genuinely need, (i.e. ‘nice-to-have’ or ‘just-in-case’ situations), then you’ll need to stop collecting that data and you’ll need to securely delete that existing data that’s not needed. If you’re keeping data for longer than you need, you’ll need to delete that data, carefully and securely. You have a duty to avoid any of this data, in any format whatsoever, falling into other hands.

---