GDPR: Ten things you should do to ensure compliance

Following Tuesday’s news that only six per cent of FTSE 350 companies are properly prepared for the General Data Protection Regulation (GDPR), EssentialSkillz CEO Julian Roberts gives a rundown of his top ten tips for getting ready for 25th May 2018.

All businesses in the UK need to adhere to the EU’s new GDPR legal framework when it comes to the customer data they hold and how it’s used. It’s a very complex topic with some hefty penalties, so it’s something that organisations should start to understand and be well equipped for ahead of the deadline – and this includes training all employees.

If businesses fail to recognise the regulations and comply, they face penalties of up to 4 per cent of a company’s global annual turnover or €20 million (£18.6 million), so it is something all organisations should take seriously, as this size of fine could end a business.

When it comes to training employees, there are a few main things business owners should know about the GDPR and what to consider as part of the training and compliance process:

  1. Get to grips with the GDPR
    Everyone in the company needs to know the basic principles of the GDPR and how it differs from the UK Data Protection Act and the EU Data Protection Directive.
  2. Know who the GDPR applies to
    The GDPR applies directly and should reduce the level of national data protection variation across member states of the EU. It applies to organisations based in the EU and those outside the EU if they process the personal data of EU residents.
  3. Know the penalties
    Four per cent of the global turnover or €20 million (£18.6 million) – whichever is greatest.
  4. Stress everyone’s responsibility
    It’s important to trickle down the responsibility to each and every employee, as anyone working with personal data of any kind needs to be compliant with the changes coming into effect.
  5. Know what’s classified as personal data
    It includes anything from data on location to online identifiers.
  6. Ensure consent of the data
    Any personal data a company holds should have appropriate and explicit consent given by the owner for the desired use. The consent must be informed, specific and unambiguous.
  7. Understand the data processing principles
    The GDPR framework outlines these principles, which include a new accountability principle for data controllers and processors, who must be able to demonstrate compliance.
  8. Know their rights
    Under the GDPR, individuals have the right to obtain information from the data controller on how and where their data is being used.
  9. Be prepared to provide individual data
    The data controller must provide individual data upon request free of charge. If rights are infringed, individuals can take legal action against data controllers and data processors.
  10. Train your staff
    Although it might seem a lot to digest, with the right training on all of the above, it’s manageable if organisations start training all staff soon to ensure company-wide compliance.

The GDPR is a complicated subject, which is why it’s vital that businesses start to get to grips with the principles and practicalities well ahead of the deadline.

It may seem daunting, but with the right training, organisations can be safe in the knowledge that all staff are educated and the business is moving towards compliance.


EssentialSkillz has launched a course aimed at employees at all levels to start their preparations for GDPR. The 50-minute course is ideal for all employees to provide an understanding of GDPR from every angle so that they can apply the learning and be confident in achieving compliance.

Find out more about EssentialSkillz and its GDPR course.


Photo from Tomkie sFastyne (Public Domain). Cropped.