Countdown to GDPR: Policies and Procedures

by Thomas Fox

Today we are going to take a look at some of the basic policies and procedures that you need to have in place to comply with the new General Data Protection Regulation (GDPR) effective May 2018. I am joined in the exploration by Jonathan Armstrong, a partner at Cordery Compliance in London. GDPR compliance mandates some specific policies and procedures that Armstrong and the Cordery team suggest that you implement at this time for the GDPR go-live date of May 25, 2018.

Armstrong believes there are two key policies to begin your process with going forward. The first should be an internal document you send to all employees which reiterates the basics of data protection which are the simply tactics of being aware, deleting suspicious emails and not opening unknown attachments or attachments from indeterminate sources. This first policy should also inform all employees on their basic duties in response to GDPR. This first communication should be companywide, and you should take steps to make sure that it is communicated throughout the organization with a sufficient level of importance.

Armstrong suggests a second policy which will be much more focused on GDPR compliance so there will also need to be robust procedures created to implement the specific requirements of GDPR. You will need policies on and procedures around the new rights created under GDPR. This includes the Right to Portability, which is an individual’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.

Armstrong next identified the Subject Access Request (SAR), which allows a person to exercise their right to gain access to data an organization might hold on them. A SAR must be answered within one month of receipt of the request and may be extended for a maximum of two further months when necessary taking into account the complexity of the request and the number of requests. Unfortunately, under GDPR, the ability for a business to ask for a fee for a SAR has been abolished. Here Armstrong noted there has been a significant rise in the number of SARs being made in recent years – when SARs become free on May 25, he anticipates an even greater rise in requests.

Armstrong noted there have been a reported 11 million SAR currently filed in the UK. Think about that number for a minute as there are about 60 million people in the whole of the UK. This means that fully 1/6 of the country’s population has filed a SAR under the current law. They can be charged 10 by the company to whom the request is made. After May 25 there will be no charge and hence no recoupment of costs by those organizations required to comply with the law. He also cited to the example of a UK financial institution which “currently has a delay of nine months in responding to the subject access requests because of the volume of SARS that they have received.” They clearly have not put the resources into complying with the current law as “nine months isn’t defensible under the existing law that will not be defensible and under GDPR as well.” He concluded, “companies are going to have to put in place measures to deal with these requests. And now is not the right time to be doing nothing.”

Moreover, there is no prescribed form for a SAR and this means such a request can come into the company in a variety of manners such as Twitter or even Facebook. An essential part of a company’s future data protection strategy will therefore be putting proper processes in place to deal with SARs. Armstrong conclusion on SARs, “Normally most organizations take at least that to look at their databases. Again because of the need for urgency as a data breach reporting procedure now the mistake that a lot of corporations make is having that process be too long.”

As a final critical policy and procedure, Armstrong noted that one on data breaches is key. Obviously here in the US, most companies have gone out of their way to hide data breaches. Such conduct will be heavily penalized under GDPR. This means that most US companies will now have to completely revamp their protocols to not only ensure that data is secure but also to meet the mandatory reporting of data breaches to both the appropriate the regulator(s) and communication to those individuals who are affected. Cordery has noted, “in this context a personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Data breaches will have to be reported, under conditions set out in the new rules including what action has been done to mitigate them, to the relevant data protection regulator without delay and, “where feasible”, not later than 72 hours after a data controller has become aware of the breach – a reasoned justification must be provided where reporting is not made within the 72-hour period.” A communication of a breach to the persons concerned must also be carried out when the “breach is likely to result in a high risk for the rights and freedoms of individuals”, which must be done without “undue delay” (i.e. no time-limit as such has been set).

Armstrong analogized that for most employees your policy should be “a bit like when you stay at a hotel there’s a simple plan on the back of the door that basically says raise the alarm get out of the building. And I think as far as most employees are concerned that’s more or less what you need to tell them you know shut down the system if you can minimize loss immediately and it’s safe to do so. Do it raise the alarm.” However, there should be a more detailed procedure behind your policy and procedure for a data breach applicable to the IT department, the information security team and others in your organization assigned to respond to the data breach.

Policies and procedures for third parties with whom you may be contracting is also important under GDPR. Armstrong noted that you should provide such third parties with guidelines on how you want them to sell your product and you might need to give them some additional materials to help support those sales. For example if you’ve got a cloud based solution or something that’s somewhat technical it’s likely to be a barrier to sales. You should also ask them to perform a Data Protection Impact Assessment for the work they execute for your organization.

I conclude with an inquiry into training. I am big believer in tailored training which focuses on the risk of each employee and delivers to them an appropriate level of training. Under Foreign Corrupt Practices Act (FCPA) training, for most employees I try to get them to leave the training with two key concepts: (1) do not pay bribes and (2) raise your hand if you have a question or if you see something suspicious. Armstrong agreed that such an approach is also appropriate for GDPR training, particularly ‘raising your hand’. He noted, “I think a lot of the breaches that we see the reason for the delay is the person was trying to work out what went wrong or work out whether it’s a problem or not. And I’d say just raise your hand if you think that it looks weak say fishy if you think it looks unusual. Tell somebody about it immediately and I think for organizations they should have in place the equivalent of there ‘are no stupid questions culture’.”

As May 25 nears, you need to put these policies and procedures in place. Your training should also commence as well. I hope you continue to join Jonathan Armstrong and myself as we provide a Countdown to GDPR. For a fuller explanation of policies and procedures, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.