UK: Top 10 Tips To Prepare For The GDPR

1. Fully understand why you collect and hold data. The GDPR requires you to give more information to individuals explaining how their data is used – you can only do this if you understand the reason why you collected and hold it in the first place.

2. Stop collecting data you don't have a legitimate need for – addressing point 1 should help you identify where changes can be made.

3. Update your privacy notices to provide the additional information required by the GDPR.

4. Treat data such as IP addresses and other online identifiers as personal data.

5. Review your consent practices to bring them in line with the GDPR's standards. Many organisations we talk to are relying on consent when they don't need to – could you be doing the same?

6. Train staff on the enhanced data rights given to individuals by the GDPR. All staff should be aware of key changes, such as no longer being able to charge for responding to subject access requests.

7. Assess how long you retain data for, and how you store and secure it. The GDPR doesn't necessarily require you to change your practices on these points, but you shouldn't hold on to personal data for longer than you need to, and it needs to be kept secure.

8. Amend all of your data contracts. Even if they comply with the current law, they will need to meet additional requirements introduced by the GDPR.

9. Speak to any suppliers who process personal data for you in other jurisdictions (particularly those outside of the EEA). Additional requirements are being introduced when using data service providers outside of Europe, and your suppliers should be aware of these changes by now.

10. Keep records of what you are doing to prepare for the GDPR. Organisations will need to evidence their compliance with the legislation, under a new "accountability" concept included by the GDPR.