GDPR Compliance

Policy and documentation setup, staff training, IT infrastructure implementation, and website compliance.

From May 2018 the new data regulations came into force from the EU. It’s extremely important that they are taken seriously as the fines for non-compliance can be as high as £20 million or 4% of global turnover — whichever is higher.

Summary of Key Requirements

  • Conduct a review of all stored data, identifying personal information held on staff or customers and access levels
  • Delete any unnecessary data
  • Revoke access for employees who don’t need it; document who requires access and why
  • Prepare procedures and templates to provide individuals with their stored information upon request
  • Create documentation for data removal upon individual request, including backup systems
  • Encrypt all personal information in transit (names, addresses, DOB, phone numbers, pay slips, NI numbers, etc.) — unencrypted emails are no longer acceptable
  • Change from opt-out to opt-in permission; document and retain all consent records retrospectively

These practices also apply to business information as best practice.

Our Role

We are not GDPR specialist solicitors. Organisations with 50+ staff or specific requirements should seek expert legal advice. Areas where we offer assistance include:

  • Setting up company policies and documentation
  • Staff training
  • Implementing IT infrastructure changes
  • Ensuring infrastructure meets security requirements
  • Backup requirements and website compliance

Delivery Options

  1. DIY approach — We provide documents and templates for self-implementation
  2. Full service — We conduct an onsite assessment and implement on your behalf (hourly rate); you still receive a task list for ongoing compliance

Required Documentation Examples

  • Pseudonymisation, Minimisation and Encryption
  • Retention of Records
  • Data Protection Policy
  • Training Policy
  • Privacy Policy
  • Subject Access Request Procedure
  • Personal Data Breach Notification Procedure
  • Consent Procedure & Withdrawal
  • Retention and Disposal Schedule

Updates & Security Patches

Data security is a core part of GDPR. Every company has a legal responsibility to keep data safe. All software must be kept current with security patches and records maintained. Our Managed Workplace system runs updates during off-hours, provides compliance reports, and monitors for hardware failures, disk capacity issues, and unusual activity.

Commercial Antivirus

Free antivirus products are no longer acceptable under GDPR. If systems become infected and data is compromised, using free off-the-shelf products creates a difficult legal defence. We recommend paid business-grade security software with continuous updates, regular sweeps, and compliance documentation.

Hard Drive Encryption

Physical hardware theft is a real risk. At minimum, all servers and laptops should have encrypted hard drives to ensure stolen devices cannot be used to access data. Ideally, encrypt all hard drives across your organisation.

Backups

External backup hard drives must be encrypted. Offsite data should go to secure locations — preferably within the UK or Europe. We recommend secure offsite backups to protect against cryptolocker-type threats and ensure business continuity.

Encrypted Emails

It is no longer legal to send emails with personal or sensitive data without encryption. Emails traverse numerous servers and can be intercepted. We offer a Microsoft Outlook plugin that encrypts all attachments with passwords, either using a default password or individual passwords per recipient.

Access Permissions

Every company must ensure personal data can only be accessed by individuals who need it for their role. Network restructuring may be necessary, and regular access reviews are required to confirm continued necessity.

Website Compliance

Privacy Policy

A privacy policy is required company-wide but especially on your website. This must detail exactly what data is obtained, stored, and how it is used. It must be concise, transparent, intelligible, and easily accessible, written in clear, plain language and provided free of charge.

SSL Certificates

SSL certificates provide website visitor assurance and enable data encryption. While not always strictly required under GDPR depending on the information collected, Google penalises sites without them in search rankings. We can set up SSL certificates for your website.

Newsletters & Marketing

Marketing correspondence now requires opt-in (not opt-out) consent. Customers must explicitly tick a box agreeing to be contacted, and consent must be logged and retained. This applies to email, post, and telephone. Customers can withdraw consent at any time and must be removed from lists promptly.

Staff Training

Staff represents the biggest GDPR compliance challenge. Many store passwords in browsers, creating security risks if malware bypasses antivirus. Training areas include:

  • Encrypted password storage for website access
  • Phishing detection and recognition
  • Fake news and social engineering awareness
  • Pop-up and ad blocker usage
  • Scam email recognition

Need help with GDPR compliance?

Whether you need a full assessment or just documentation templates, we can help you meet your data protection obligations.

Get in Touch