The General Data Protection Regulation

GDPR is an updated version of data protection act of 1984 for the 21st century and designed to protect the confidentiality, integrity, and availability of personal data.

GDPR is not designed as a barrier to conducting business, but as the framework of requirements which organisations must achieve to be compliant with the regulations, however, the way your business achieves this compliance will be individual and specific to your company.

Personal data

...the personal data
you hold

Any information directly or indirectly relating to an identifiable or identified natural living person whether in private, professional or public life.


...where it 
came from

Identify by what means information comes into your organisation whether it be by post, fax, email, social media, website or via electronic data interchange.


...who it is 
shared with

You may legitimately share information with Banks, Accountants, Payroll Bureaus and other such organisations, check their policies and procedures to ensure they are ready for GDPR.

What Whom

...what is done with 
it and by whom

Knowing whether you are the “processor” or the “controller” of the data; sometimes you will be one or the other but for other types of data you may be both.

How long long it will be
kept for

Having a clear retention policy that outlines what data you are keeping, for what purpose and for how long ensures you know how to respond to requests from a data subject to be forgotten.

How it will erased it will be

It is no longer acceptable to keep data “just because”, you must inform people of the timescales of when their details will be destroyed and must be documented as to how you will destroy them.

HR requirements for new business GDPR

GDPR introduces the principle of accountability. All staff who are involved with personal data will be held accountable for their actions and must therefore receive training appropriate to their role so that they understand the requirements of the regulation and the actions that they individually must deliver to remain compliant.

GDPR HR requirements

 The concept of accountability is a golden thread across the management of personal data and organisations are required to develop and implement a needs-based data protection training programme for all staff. For companies that predominantly trade business to business, the data you hold within your HR records is likely to be the key collection of personal data. But it is equally important that you understand, documentation and communicate a clear and transparent policy with new applicants, existing staff and ex-employees in relation to their personal information.

Data Mapping

Experience to date has shown the value of a data map where all those who are involved with handling personal data can draw the processes and identify the risks, interactions and users.

We provide assistance in identifying the data to map then entering this data into software that provides a user friendly GDPR and ISO 27001 compliant report providing both a visual map and the associated documentation.


Compliant Documentation


Businesses are expected to put into place measures that include appropriate technical and organisational solutions to ensure transparency, accountability and governance and demonstrate compliance. Such measures should be designed to minimise the risk of data breaches and uphold the protection of personal data within the company.

Although there are ‘off the shelf’ solutions available to purchase, each still requires a degree of tailoring to fit the individual needs of each business implementing the package.

For the tailoring to be effective, the editor of the business processes must understand both the Regulations and the needs of your company. A cost-effective method of achieving this outcome is to work with a GDPR certified practitioner and combine your collective knowledge to build a suite of compliant procedural documentation which is relevant for the organisation.


Risk Assessment

Compliance will be assessed from 25th May 2018, non-compliance to the regulations carries the risk of financial penalties. The Regulations allow for fines levied against the company by the Information Commissioner’s Office plus claims for compensation and liability by any persons who can show that they have suffered material or non-material damage because of infringement of the legislation.


Processes and Proceedures

Both controllers and processors will be held liable for any data breaches and processes which infringe personal data security. To be exempt from liability, your business will need to prove that it has processes and procedures, including training of staff, in place which define and control how personal data is treated, and that you monitor the ongoing compliance of the data management processes and can prove such compliance. Records will therefore be key to all businesses for the ability to provide evidence to demonstrate compliance.

Risk Assessment

1. Idendify

  • External events
  • New Products
  • Aquisitions
  • Changes to business process

2. Assess

  • Likelihood
  • Impact
  • Inherent
  • Residual

3. Migrate

  • Avoid
  • Transfert
  • Mitigate by controls
  • Accept residual risk

4. Monitor Report

  • KRI's
  • Loss data
  • Issue management
  • Risk appetite


Our certified GDPR practitioners are here to help you get your business ready for GDPR.
Fill the form below for a FREE one hour consultation session.






Join our mailing list and keep up-to-date with all the latest business news and information from axisfirst.