UK 0207 206 7293
US 720 362 5033

In this article:

  • What is GDPR? 
  • Which businesses are affected? 
  • 12 Steps to GDPR compliance 

What is GDPR?

GDPR deadline.pngGDPR – which stands for General Data Protection Regulation – was developed by the European Parliament and aims to strengthen data protection laws for individuals within the European Union. It is designed to simplify and unify data protection laws across all countries in the EU.

The regulation becomes enforceable on 25 May 2018,
 at which point businesses need to ensure they are fully compliant, or they risk incurring hefty financial penalties. Far from being simply a tick box exercise, complying with GDPR requires planning and in some cases, a complete change in processes and procedures. Taking action well ahead of the deadline is therefore vital.

Are you GDPR compliant?

It’s a question that businesses are likely to hear a lot in the coming months, as the crucial 25 May 2018 deadline fast approaches.

So, who does GDPR affect and what action should you take?

Which businesses are affected?

GDPR info.pngGDPR affects any business that holds or processes personal information about residents of the European Union. This is true, even if the business itself is based outside the EU. Following Brexit, the rules will still apply in the UK, with the government planning to introduce a data protection bill that will closely mirror GDPR and its requirements. At the heart of GDPR is personal information, which is de ned as any information that can be used to identify a person (directly or indirectly), including: name, identification number, address and IP address.It also covers sensitive personal information, such as: genetic data, health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.GDPR is likely to mean big changes in the way businesses collect, store and process information about individuals.

When holding personal information, businesses must ensure:

  • It is processed lawfully, fairly and in a transparent manner 

  • That data is only processed for a specified, explicit and 
legitimate purpose 

  • Any information held must be relevant to the specified purpose 

  • All data must be accurate and up to date 


  • No data is kept for longer than necessary 


  • Information is handled and processed in a way that maintains security 


  • There must be a ‘lawful basis’ for processing the data

    12 steps to GDPR compliance 


    To help you ensure you are compliant with GDPR, we’ve broken the process down into 12 steps: 


    1. Raise awareness

    GDPR isn’t just something that will concern marketing teams. Everyone in the business needs to know about the changes in legislation that will come into force on 25 May 2018. Make sure that the implications of GDPR are clear to everyone within your organisation, task a team member with taking the lead on it and researching and collating information. Looking at your risk register (if you 
have one) can be a good starting point or start one if you don’t! 


    2. Document all the personal data you hold

    Conduct a thorough information audit. Make sure that you have clearly documented all the
personal data you currently hold. This
 should include where you sourced it 
from, what details it includes, what it is being used for and who has access to it. 


    3. Clearly communicate your updated privacy policy

    
Review your current privacy policy to make sure it complies with 
the new rules. When collecting personal data, you are obliged 
to provide certain information, including your identity and how you intend to use the 
information gathered. Under GDPR, you will also be required to make individuals aware of additional issues, such as what your lawful basis for processing their data is (see Point 7), how long the data will be kept and that they have the right to complain to the ICO if they feel their data is being handled in an unlawful way. 


4. Make sure you understand individual rights 

GDPR sets out the following rights for individuals:

  • The right to be informed 

  • The right of access 

  • The right of rectification 

  • The right to erasure 

  • The right to restrict processing 

  • The right to data portability 

  • The right to object 


Once the new legislation comes into force, you need to be able to handle any such requests. That means it’s vital you have a well-organised databases and procedures.

5. Put processes in place for handling requests 


Make sure you have a clear process mapped out, which will be followed when any requests are raised. Give somebody within the organisation responsibility for handling such requests. The business will 
have just 30 days to comply with any request. Also, bear in mind that in most cases, you won’t be able to charge for this. Requests can include:

  • right to object
  • right of deletion
  • request for data held 


6. Identify the lawful basis for processing personal data

You need to have a lawful reason for holding and processing any personal data. You need to identify and document what that lawful basis is, and it needs to 
be clearly communicated within your privacy policy. 
There are six potential options - consent, contract, legal obligation, vital interests, legitimate interests and public interest. The one you use will depend on the purpose of the data and the relationship you hold with the individual. It is important to select the most suitable one for your business from the start, as you won’t be able to change it later, without providing a very good reason. 


Under GDPR, an individual’s rights will vary depending on the lawful basis on which their data is being processed. For example, if consent is the basis for processing, then individuals have stronger rights to demand the deletion of their data.

7. Understand what 'legitimate interests' means

‘Legitimate interests’ is the most flexible lawful basis available for processing. However, it won’t always be appropriate. You must show you’ve balanced your own interests against the individual’s interests and if there is another less intrusive way to achieve the same result, then it should be followed.

If you decide to use legitimate interests as the lawful
 basis of your data processing, then a Legitimate Interests Assessment (LIA) must be completed in all instances. An LIA is effectively a risk assessment. It ensures you have gone through a comprehensive decision-making process to balance your own interests and those of the data subject.

There are three key elements. You need to:

  • Identify what your legitimate interests are 

  • Show that processing the data is necessary 

  • Balance this need against the individual’s interests, rights and freedoms

8. Handling data breaches

A personal data breach is defined by the ICO as ‘any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. This 
includes both accidental and deliberate breaches. You need to ensure that you have strong processes in place to detect, report and investigate potential personal data breaches. 
Some organisations are already required to notify ICO 
if they have suffered a data breach. You will only need to notify them of a breach, if there is a risk to the rights and freedoms of individuals and could potentially result in them being discriminated against, suffering financial loss, loss
 of confidentiality, damage to their reputation or any other social or economic disadvantage.You will need to make your report to ICO within 72 hours.

9. Carry out a Privacy Impact Assessment (PIA) 

GDPR makes privacy by design an express legal requirement. It also makes Privacy Impact Assessments (PIAs) - referred to 
as ‘Data Protection Impact Assessments’ or DPIAs - mandatory in certain circumstances. 
A PIA may not be required in all circumstances, but it is important to understand where it is necessary. Such as:

  • Where a new technology is being deployed 

  • Where a pro ling operation is likely to significantly affect 
individuals 

  • Where there is processing on a large scale of special categories of data 


10. Assign a Data Protection Officer 

The Data Protection Officer can have other responsibilities within the business. Certain organisations are also required to formally designate a Data Protection Officer (DPO). This includes: 


  • Public authorities (except for courts acting in their judicial capacity) 

  • Organisations that carry out regular and systematic monitoring of individuals on a large scale 

  • Organisations that carry out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.


It is vital that whoever takes responsibility for your data protection compliance, does so effectively and has the knowledge, support and authority to carry out their role.

11. Consider international implications


This point is only relevant for organisations who carry out cross-border processing. 
For any business which operates in more than one EU member state, you are required to determine and document who 
your lead data protection supervisory authority is. That means you need to disclose who the supervisory authority is, in the state where your ‘main establishment’ is. (i.e. The location where your central administration in the EU is, or the location where decisions about the purposes and means of processing are taken and implemented). 
If this rule applies to you then map out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.

12. Update systems and processes

Now is the time. Ensure processes are updated and systems are adjusted in readiness for GDPR. Once you’ve mapped your data, considered the lawful basis for processing and documented everything – now is the time to take action and implement change! Don’t delay.

For more information see the IOC ‘Guide to the General Data Protection Regulation (GDPR)

Ready to fuel your sales pipeline with GDPR compliant leads? 

Uncover who your anonymous website visitors are, identify when they're ready to buy and access the contact details you need whilst also being compliant with GDPR. 

Lead Forensics primarily sources business data, which is not applicable under GDPR. Where personal data is processed – the email address and names of the key decision makers, it is compliant under GDPR given the legitimate interest in your products or services from the pro-active visit by the organisation at which the data subject is employed. The beauty of Lead Forensics, is that whatever data we provide you with, it all stems from a legitimate interest. We only supply you with data for a company contact because someone from that specific organisation has visited your website, showing a legitimate interest in what you’re offering.

Get started with a free trial of Lead Forensics


DISCLAIMER: Lead Forensics is a global market leading SaaS organisation.  We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force.  Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR.  If you have any need for legal advice, please contact a solicitor or visit the ICO website for further information https://www.ico.org.uk

What can Lead Forensics do for your business?

Imagine if you could take control of your lead generation activity and convert sales-ready prospects, before your competitors even get close? Lead Forensics is the software that reveals the identity of your anonymous website visitors, and turns them into actionable sales-ready leads. In real-time.

Lead Forensics can:

  • Tell you who is visiting your website
  • Provide highly valuable contact information including telephone numbers and email addresses
  • Give insight into what each visitor has looked at, as well as where they came from.

Take a look for yourself with a free, no obligation trial – you can get started today!

Download your copy of the full article

Download B2B Guide To Turbo-Charged Lead Generation Download Now

Discover the identity of your website visitors – and convert them to sales.

Take your free, no obligation trial of Lead Forensics and uncover the leads you didn’t know you had

Try Lead Forensics

It’s good to share

B2B Sales and Marketing Benchmark Report 2018 UK & EMEA

Marketing to the modern B2B buyer

B2B Guide to Turbo-Charged Lead Generation