As the General Data Protection Regulation (GDPR) is coming into force tomorrow, 25 May, we are using our Newsletter in its new edition to highlight some of the important changes with which all businesses are having to coming to grip.

As the General Data Protection Regulation (GDPR) is coming into force tomorrow, 25 May, we are using our Newsletter in its new edition to highlight some of the important changes with which all businesses are having to coming to grip.

We see many of the changes in data protection law introduced by the GDPR as a positive step forward, as they increase your existing rights to data privacy and security, as well as improving the protection of your personal information. 

At Barrett & Co, we have updated our privacy policy to reflect those positive changes, including how we collect, store and handle the personal data of the individuals with whom we interact. We also outline how people can contact us to exercise their rights.

Privacy is not a new concept, but the GDPR and the new Data Protection Act will ensure that we become trusted guardians of personal data . . . or face the consequences.

You may be surprised to read the next sentence, bearing in mind this is being published by a firm of solicitors. Contrary to what many commentators have been saying about the GDPR, compliance does not have to be overly complex. There are a handful of steps which are common to most organisations, and they form a logical process.

1. Assess, analyse and prioritise the risks 

The first step to complying with the GDPR is to detail and assess the risks to your organisation and to the rights of the individual. This can be achieved in a variety of ways, including a readiness survey, GAP analysis, preparing a process register and then a risk register. It may be useful to present the risks in an organisational risk heat map, to focus understanding, effort and budget. In that way, the highest risks are allocated the greatest proportion of your time and resource. Preparing a process register is one of the most critical parts of these exercises. In order to fix a problem, you must first understand what is broken.

2. Create your policies, procedures and agreements

Once you understand the issues, you can implement appropriate policies and procedures. The following list forms a standard requirement, although your organisation may not require all items.

(a) PIMS (Personal Information Management System) – your PIMS is a template for you to develop and integrate with your existing policies. It is your “master control”, a live document unique to your organisation and, like your Process Register, will require your continual attention and adjustment. 

(b) Process Register

(c) Organisational Privacy Risk Register

(d) Readiness Assessment and GAP Analysis

(e) Data Protection and Privacy Policy

(f) Data Protection Policy Statement

(g) Privacy and Cookie Notice

(h) Privacy Procedure

(i) Training Policy

(j) Subject Access Request Procedure

(k) Records Management Policy

(l) Information Security Policy

(m) Data Protection Privacy Impact Assessment (DPIA) Procedure

(n) Consent and Consent Withdrawal Procedure

(o) Data Breach Procedure

(p) Complaints Procedure

(q) Data Sharing Policy

(r) Third Party Service Provider Agreement for Data Processing

 3. Develop workable processes to plan for continual maintenance and improvement 

Once your policies and agreements are in place, you can then develop the process controls to keep these up to date and relevant. Complying with the GDPR is far more than a paper exercise. Real changes must be demonstrated and provable in the very cultural fabric of your organisation.

If you would like any further information and advice on complying with the GDPR, please contact Justin Sadler on 0118 958 9711 or Justin offers a no obligation one hour fixed fee meeting for £95 including VAT. 

Unsure about how GDPR will effect your business?

If you need any help or advice in complying with the GDPR laws, our specialist solicitors would be delighted to help you. We offer a £95 initial fixed fee meeting for 1 hour to provide initial advice on a range of legal issues. To find out more e-mail us at or call 0118 958 9711.


"barrettandco" and "Barrett & Co" are trading names of Barrett & Co Solicitors LLP, a Limited Liability Partnership incorporated in England and Wales under registration number OC356263, with registered office at Salisbury House, 54 Queens Road, Reading, Berkshire RG1 4AZ. Barrett & Co Solicitors LLP is authorised and regulated by the Solicitors Regulation Authority (SRA Number 549694).

Disclaimer | Privacy Notice | Cookie Policy | Sitemap
© 2018 Barrett and Co. All rights reserved.