11 tips to prepare your business for the new EU data protection rules


Hiscox banner shape mask mobile Hiscox banner shape
May 24th, 2016
Alex Wheal

As a Commercial Client Manager at Hiscox, Alex Wheal works closely with technology start-ups to help them understand key risks.

Law firm Pinsent Masons has put together some practical tips to help your small business comply with the EU’s new data protection rules, known as the General Data Protection Regulation (GDPR), which will apply to all EU member states from 25 May 2018.
Man looking at a screen with data
  1. Put together your GDPR implementation task force
  2. Start the process, where applicable, of appointing your data protection officer
  3. Review IT systems and internal processes to ensure that an individual’s data can be captured both for the purpose of data portability (ie passing a copy to the data subject or another controller)  but also to enable such data to be deleted easily
  4. Conduct an audit of what personal data your organisation holds, how it is being used, to whom it is being disclosed, and to where it is being transferred
  5. Review and update customer privacy notices to reflect the new transparency requirements of the GDPR
  6. Start reviewing data protection clauses used (both for templates and live negotiations) in supplier agreements to include the mandatory provisions and an appropriate change of law clause
  7. Develop a template ‘data protection impact assessment’ to be used in any upcoming high risk projects
  8. Suppliers performing the processor role will need to review the scope of their obligations and their liability/ indemnity provisions, given their new exposure under the GDPR
  9. Review existing processes and procedures for subject access requests, including the development of template response forms and assessing whether the one-month response deadline could be met
  10. Review breach notification and management systems and procedures, including draft notification forms for both notifications to the supervisory authority and affected individuals (or controllers as applicable)
  11. Start putting together training materials to raise staff awareness of the new rules under the GDPR