Nailing GDPR in five easy steps

Nailing GDPR in five easy steps

Posted: Thu 4th Aug 2022

Following his barnstorming Lunch and Learn webinar on this very topic, Michael Buckworth follows up with a blog post talking all things GDPR.

Before we get into the five steps you must do to nail GDPR, here are five things you may not know about GDPR:

  1. GDPR is a journey, not a destination. GDPR is about understanding the personal data you process, the legal basis on which you process it, and what you do with it. Personal data is what identifies an individual (e.g., name, address, email address etc.).

    As a business owner, you need to ask yourself what it is I am collecting, why am I collecting it, and what am I going to do with it. You then must explain to your customers all of that and ensure that you process it in compliance with the law. This is an ongoing process that you continuously need to think about as a founder.

  2. You may not mean GDPR. GDPR is the original EU legislation, incorporated into UK law by Data Protection Act 2018. Since Brexit, the UK has made moderate changes to the version, so-called UK-GDPR. If you only process personal data within the UK about data subjects located in the UK, then your obligation is to comply with the data protection legislation in the UK.

    However, if you are processing data in Europe, then you will need to comply with the EU legislation. The same goes for regions outside the UK and EU where you will need to understand the jurisdiction’s own data protection laws and ensure you comply with those.

  3. More than just a privacy policy. Privacy policy explains what personal data you collect, what you do with it and who might process it on your behalf. It is an important document that should be used by almost all businesses. However, you will also need a Data Processing Agreement which is an agreement you put in place with anybody who is processing personal data on your behalf.

    An example of this is a service provider like CRM that collects data on your behalf. Data processing agreements should be in place with processors requiring them to process personal data in a compliant manner. If they transfer to a country that doesn’t have an equivalent regime to the UK - including the US, you will need to put in place Standard Contractual Clauses (SCCs) with the processor.

  4. Compliance is risk management. Everything to do with businesses is about risk management. Data protection acts exactly the same way. UK-GDPR encourages businesses to take a risk-based approach to compliance. In other words, if what you are doing is low risk in terms of data protection (name, address, email), then you’ll have to do less in terms of compliance, and if what you are doing is high risk (sensitive data) then you’ll be obliged to a higher compliance.

    For example, if you are a beauty therapist and you collect the name and mailing addresses of your clients to send them a birthday card – this is considered low risk. However, if you own an online GP practice, where customers engage with doctors through apps and video calls and disclose personal health data information, this is seen as sensitive data and therefore more high risk. Data risk management is crucial to your business; you need to consider the types of data you process, their sensitivity if disclosed, the likelihood of loss of data, and so on.

  5. Customers are the problem…and the solution. Where GDPR comes, customers or people you are dealing with may make complaints against your business. The best way to avoid this is by preventing complaints from happening. When setting up your compliance, you should consider ways of establishing trust with your customers. So, what should you not do?


  • Spamming – sending numerous emails annoys people and risks complaints

  • Cold calling – noting angers busy people more than getting an unsolicited sales call

  • Not responding to questions and complaints about data protection. In many cases, this is down to poor customer service where complaints have been ignored or mishandled and dealt with in the wrong way. Make sure those are resolved with quickly, properly, and accurately.

  • Provide an opt-out button to give people the choice to unsubscribe from your marketing mailing lists.

So what are the five key steps in nailing GDPR?

  1. Identify and map personal data – understand exactly where data is coming from and where it’s going to

  2. Figure out the legal basis for processing – UK-GDPR sets out the legal justifications for processing personal data such as consent, legitimate interest, and contractual obligation

  3. Do you transfer personal data outside of the UK/EU? If you transfer data to a service provider, and they are consequently storing it outside the UK or EU, that is a transfer out. You must ensure you have the correct legal documentation in place to authorise that

  4. Draft documentation – privacy policy, data processing agreements, SCCs. It’s not just a privacy policy you need to worry about. Based on the jurisdiction of your data storage and processing, there may be further documentation you need to understand and comply with.

  5. Make your team aware of obligations and prep your customer services team. Personally, I think this is the most important. Ensure your team understands the way you process personal data, what you do with it and how they should respond to queries. If you can nail the client interaction and make sure your customer team respond in the right manner, you can shut down a lot of potential complaints before they get too far.

You can watch the full Lunch and Learn webinar on GDPR with Michael Buckworth here.

Finally, be sure to connect with him on Enterprise Nation for more business support.

Get business support right to your inbox

Subscribe to our newsletter to receive business tips, learn about new funding programmes, join upcoming events, take e-learning courses, and more.