Back to Insights Back to Insights
If your company is still navigating its way through the EU General Data Protection Regulation, (despite the compliance deadline having come and gone) there are 5 immediate steps you can take RIGHT NOW to become GDPR compliant as soon as possible and get rid of your GDPR hangover!


An absolutely essential part of being GDPR compliant is having the right documents in place that show the ICO that you have taken the necessary steps to become GDPR compliant should an investigation or audit ever take place.

The right GDPR documents should typically include:

Data Protection Policy (internal document) 
Data Retention Policy (internal document) 
IT Security Policy (internal document) 
Data Privacy Policy (to be issued to your data subjects, typically appearing on your website) 
Terms of Website Use (available on your website) 
Employees Privacy Notice (to be issued to employees) 
Updates to employees’ contracts of employment 
Data Processing Agreement (or amendments to existing contracts) where either your organisation or a third-party organisation providing their services to you may be classified as a Data Processor 
Amendments to Data Controller agreements where typically both parties to a contract may share personal data
Data Protection Impact Assessments, where necessary 
Correct language for obtaining consent 
Communicating changes to your Privacy Policy to your data subjects, such as customers. 
You may also need to have other documents and/or statements, depending on the nature of your particular business so it’s best to seek expert advice too so you can get it right for YOUR business. It is also very important to remember that compliance with all of your established policies and procedures is as important as having them in place and you will need to train your staff accordingly.


GDPR is an important piece of legislation and as you may know the breach of its provisions may cost up to 20 million Euro or up to 4% of a company’s worldwide turnover (whichever is the greater) not to mention potential negative publicity and damage to reputation so it is important to get it right and make sure that senior staff with an overview of the whole business are involved and that the right amount of time and resources are allocated.

3.  ASSESS HOW YOUR ORGANISATION USES PERSONAL DATA Personal data is information that allows identifying an individual directly or indirectly, including their name, contact details, ID number, IP address, photographs and similar. It is important to take an assessment of what exact types of personal data are processed within your organisation and how they are collected, shared, stored, disclosed and are otherwise processed by your company.   

You will also need to note reasons and the lawful basis for the processing of each of the categories of personal data by data subject so for example for your customers, employees, sub-contractors, suppliers, contractors, business contacts and any other type of data subject that is applicable to your business. You might find it useful to create a spreadsheet and even flowchart diagrams as a starting point and you will need all this information for your Data Protection Policy and other GDPR related documents.


One of the GDPR principles is to not keep personal data for longer than necessary so you will need to establish how long you will keep different categories of data for and when you will need to dispose of it securely. Retention periods will vary by organisation.


You must ensure that you have appropriate security measures in place in order to protect personal data, taking into account the resources of your organisation, as well as the nature of personal data itself and the potential harm that a security breach might cause. This is relevant to both paper and electronic documents with both physical and IT security measures being important. A security breach will need to be reported to the Information Commissioner’s Office (ICO) within 72 hours of its occurrence and there must be procedures in place within your organisation to make sure this happens on time, especially when third parties are involved. 

It may all seem quite daunting but it is more important than ever to tackle your GDPR compliance. Now is the time for ACTION and remember LawBite is here to help!

To consult with the Lawbrief lawyer Alla, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843. To find out more please click here.

 Journey further… 
How LawBite works LawBite GDPR Rescue Package

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Free legal support for businesses

The LawBite Free Essentials Plan acts as your very own legal assistant, ready to provide expertise and guidance on the common legal issues that SMEs and businesses face.

Free Templates
  • X 3 legal document templates
  • Drafted by our expert lawyers
  • New documents added every month
Legal Healthcheck Tools
  • Business-specific surveys
  • Understand how compliant you are
  • Checks in, GDPR, IP, Brexit and more
Resources, Webinars and Articles
  • Access to the latest LawBite events
  • Legal guides for businesses
  • Smarter business law videos