Skip to the content

Information Commissioner’s Office for GDPR regulations


We wrote in a previous blog about GDPR and how it effects every business in the UK, as well as any global company holding data on businesses in the EU. There are a lot of people concerned about the General Data Protection Regulations (GDPR) regarding what it means and what you must do to be covered. A lot of these are companies trying to sell solutions that are either directly or loosely related and care must be taken to not buy something that isn’t actually required.

The suggestion here is to start with the Information Commissioner’s Office, the ICO , as they are providing a lot of independent advice and are the people dishing out fines. Their document “ Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now ” gives a good overview providing an understanding of the areas covered and what needs addressing. To help you to get the ball rolling, this blog is a short summary of those points.


All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice. 

1. Awareness

It is important that key people in your organisation are aware of GDPR and the direct implications to the business. Due to the significant implications to your organisation, GDPR may effect systems, procedures and resources. The sooner this is managed by your company the easier it will be to be compliant.

Information Commissioner’s Office advice on securing data under GDPR regulations

2. The Information that You Hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.

3. Communicating Privacy Information

A key element to GDPR, as it was in the DPA, is transparency and providing accessible information about how you will use personal data. The most common practice is to provide a privacy notice, for which the   requirement under GDPR   is extended over the DPA.

4. Individual’s Rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling.

5. Subject Access Requests

You will be required to respond to requests about the data that you hold within 1 month, such as what data and why you are holding it. You are not generally allowed to charge for access requests, however there are exceptions for requesting pay or refusing in extreme circumstances. If you have automatic processing of data, such as ratings, credit checks, etc, there is a separate set of rules.

6. Lawful Basis for Processing Personal Data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Information Commissioner’s Office advice on consent under GDPR regulations

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Unlike the DPA, there must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must not be a mandatory part of the provision of products or services; for times when data collection must be taken as mandatory (such as for credit checks) then alternative lawful basis must be in place.

8. Children

You should start considering putting systems in place to verify individual’s ages, as children’s personal data may require consent from a guardian for anyone under 16 ( this may be lowered to 13 in the UK).

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments

The GDPR makes privacy by design approach an express legal requirement. In some circumstances it is mandatory to carry out a Privacy Impact Assessment (PIA), now referred to as ‘Data Protection Impact Assessments’ or DPIAs.

11. Data Protection Officers (DPO)

Organisations such as public authorities are required to appoint a DPO. However, irrespective of whether you are required to have a DPO, you are advised to designate individuals to take responsibility for the data protection compliance in your organisation.

12. International

If you process data across a number of EU member states, you are advised to follow the authority of the data protection supervisory authority in the country that you complete the most significant decisions about processing activities. 

Stay tuned for more GDPR information and advice

Stay Tuned for More GDPR Information

In our next GDPR blog we will be looking at providing more information on addressing the legislation from a practical point of view. We will also look at how both the Microsoft offerings and our own solutions will help with addressing those points, which will hopefully give an idea of what you need to do with your own systems. If you would like to stay up to date with our news please sign up.

Jesse Lawrence

Jesse is our marketing manager, keeping an eye on the latest news in the market as well as having worked on the GDPR legislation. 

I find their approach to our relationship very professional whilst being refreshingly realistic. We now consider them to be part of our team

Technical Director, Bainbridge International

Partner with the Experts

With over 300 years of combined experience in Microsoft business solutions, our team will help to get you up and running, as well as building a partnership that keeps you supported, all from our UK offices. 

From functionality and licensing to business strategy, we like your questions; contact our experienced team for open, honest and reliable advice so that we can find the answers.

飞鱼电竞押注网站 28加拿大记录手机版数据 江湖电竞最新版比赛(江湖电竞投注app网站) 金沙电竞app pc加拿大28计划最稳胆码授权平台 街霸5(上海)查询APP v8.6