A twelve step GDPR action plan


General Data Protection Regulation, or GDPR for short, is the topic on everyone’s mind at the moment, but what does it actually mean for the IT industry and how ready are its businesses?

A recent survey revealed that only 7% felt very prepared for the GDPR regulations. Instead the majority felt somewhat ready (50%) with 25% feeling not very or not at all prepared and 4% having no awareness of GDPR at all.

In response to the level of interest, Julia Seary, company commercial partner at Roythornes Solicitors, has pulled together a handy 12-point action plan. Julia says:

Each business and industry have different ‘pain points’ with the new regulation but a good place to start is with an action plan such as the one I have created:


  1. Nominate a GDPR lead or Data Processing Officer (DPO) to front the initiative
  2. Carry out a data mapping review to understand what data you hold and where it has come from
  3. Update your customer facing privacy notices
  4. Review and update all relevant data-related policies and procedures
  5. Clarify and document the legal basis that you are relying on for processing data
  6. Remove any opt-out pre-ticked consent boxes and replace with opt-in boxes
  7. Check your marketing lists comply with the new regulation
  8. Understand how and when to respond to Data Subject Access Requests (DSARs)
  9. Check your IT systems can properly support compliance
  10. Review all third-party supplier arrangements with regard to the new regulatory requirements
  11. Review any international data flow if relevant to your company
  12. Ensure staff are adequately briefed and carry out ongoing audits


The most poignant aspect of the action plan for the IT industry is to ‘check your IT systems properly support the compliance requirements. Depending upon the type of data you are handling, it is worth thinking about the accessibility of information, whether or not information can be easily amended or erased and how secure your systems are. It is also key to set up security protocols and have a clear mitigation and reporting plan in place in case of a data breach.

There are many old and new rules coming into force but the crucial aspects to bear in mind for any industry include the tighter scope of explicit consent (do you have it and, if not, how do you legally get it), increased transparency (the new ‘right to be forgotten’ and ‘right to be informed’ rules) and the need to demonstrate compliance if the Information Commissioner’s Office (ICO) suspect any misconduct.