Is your business GDPR compliant?

Posted by Kate Osborne on in General, Tips

man in suit, blue, balls

On 25 May 2018 processing of personal data by organisations will have to comply with the General Data Protection Regulation (GDPR). This new EU regulation’s focus is the protection of personal data, i.e. data about individuals, and builds on existing data protection laws, setting out the responsibilities of businesses in relation to the personal data they collect, hold, transmit and otherwise use. Essentially it says, “If you want to offer your services or products to customers who are EU citizens, you better make sure you look after their personal data or else!”


The GDPR applies not just to organisations within the EU who process the data of individuals but also organisations outside the EU who offer goods or services to individuals in the EU, or who monitor the behaviour of individuals in the EU. Because the EU is a trading partner of most countries, the GDPR’s wider scope means it has implications for many businesses worldwide, and will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others. For example, if a company based in the United States, or another non-EU country, collects or processes personal data of any employee, prospect, customer, partner, or supplier that is based in the EU, that company will need to be compliant with the GDPR.




  1. Take a personal data audit to help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third party data processors. And for each data processor consider what you are using the data for, where is the data being stored and whether you still need the data. For each of the third party data processors, check their respective privacy policies and make sure that they are GDPR compliant. If the third party is not yet compliant, contact them and find out if and when they plan on becoming compliant. In the unlikely situation where a third party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you should seek to replace them with a similar but compliant provider.
  2. Detail the personal data audit on your website’s privacy policy page. As we’ve already mentioned, a big part of GDPR is communicating to your users about how and why you’re collecting and using their data. So tell them. Be clear and concise and give them a way to request a copy of it or have it deleted if they wish.
  3. Strengthen the weakest links. During your personal data audit any weaker parts of your website should come to light. An example could be the non-compliant third party data processor as described above. Other examples could be insecure (unencrypted) email accounts or website traffic. Another example might be contact form submissions that have been saved to your website’s database. These have likely long since been acted on or replied to so they no longer need to be kept. Whatever the weak links are you should aim to strengthen or remove them.
  4. Employ or designate a Data Protection Officer (DPO). A DPO is an individual designated by the Data Controller to be responsible for monitoring internal compliance of the GDPR within the organisation. This could be a specifically trained employee or a position that is out-sourced.

To ensure your business’ website and emails are compliant, or for help to achieve this, then please feel free to contact i catching design Tanzania today.

(Resources: Sage UK, Fellowship Productions, GDPR Conference:Europe)