Fiona Boswell

Director and Solicitor, Head of Franchising and Commercial Services


The top 10 GDPR questions that organisations should be asking

Fiona Boswell

New General Data Protection Regulation (GDPR) laws will come into effect on May 25th 2018.

In order to prepare, organisations need to understand exactly how they will be impacted, extending beyond their external communications and admin procedures.

 Customers, parents, patients and employees are just some examples of who can request to see the information businesses hold on them. The way that data is stored and used comes into question, as does the level of consent and how appropriate it is in nature. Not to mention the ability to keep this information safe.

At Fraser Brown, we run free workshops with DataBasix to help businesses address the many questions businesses might have, particularly in an increasingly competitive and data-hungry market place.

Here are some important questions that businesses should be asking themselves: 

1.    How GDPR aware is our organisation?

It is important to have a good understanding of GDPR, and this starts at the top. Are the key people in your organisation aware of the transitions necessary to ensure good GDPR practice? Raising awareness is an important first step, as what follows will affect much of the day-to-day processes of your organisation.

2.    How well is our data stored?

Is the data you store on individuals compliant with GDPR principles? Where do you keep it? Can you demonstrate informed consent? It will soon become a requirement to know exactly where to reach for such data. We recommend you organise an information audit.

3.    Have we considered the rights of individuals?

Revisit the procedures you have in place to ensure that they fall in line with the rights that individuals will soon have over their data. Really consider why you are holding onto that information, and implement clear measures to ensure that data can be erased when no longer appropriate. This is something that the GDPR speaks on explicitly.

4.   How will we handle subject access requests?

Individuals will be able to request the information an organisation has held on them. This can extend to employees, customers, patients, and just about anyone that believes you have stored any of their personal data.

Organisations must be capable of providing this information, and have evidence that they are competent in following good GDPR practice.

This can range from medical records and CV’s, right down to mentions in emails. It is important businesses understand what is meant by “personal data”, as individuals will soon have the right to request for their information to be erased.

Do we have a legal basis for processing this data?

You need to ensure that you have a legal basis for holding and documenting information. To understand exactly what this broad topic entails, it is best to seek advice.

6.    Have we looked at our privacy notices lately?

GDPR is all about transparency. Review your current privacy notices, they may need amending in time for GDPR.

Can we evidence consent to hold this data?

You will need to ensure that those who are providing you with their personal data know exactly what your use for this would be. Any discrepancies could mean that you are not being GDPR compliant, and could result in penalties.

8.   What about information that concerns children?

You may need to verify the age of the individual that you are holding information on. Will you need parental consent or consent from a guardian to process this data? These are all very sizable concerns.

9.    What about data breaches?

You need to know how to take appropriate action when handling data breaches. There are a number of steps that you can take as a business to minimize potential damages, be that through prevention strategies or through knowing how best to respond to threats or incidences. If you fail to follow GDPR protocols, then this too can be a punitive offence. 

Assess the potential impact data breaches can have on your business. This will be a useful exercise that will aid you in coming up with strategies to combat each eventuality.

10.  What is required of a Data Protection Officer?

Some organisations will need to appoint a data protection officer. Their role is to be accountable for data protection compliance, and to be able to demonstrate that the company has relevant and well thought-out infrastructure in place.

We offer workshops alongside DataBasix UK to help you generate a personalised 3 month plan to get you up to speed. You can register here:

For more enquiries about GDPR, or other commercial law queries, please contact Fiona at Alternatively, for more information about our workshops, please contact Hayley at




Sitemap | Ask a question | Careers | Accessibility | Terms of Use | How we handle your data

© 2020 Fraser Brown Solicitors. Authorised and regulated by the Solicitors Regulation Authority.
SRA Number: 0048586   |SRA |  VAT Number: 116 4751 78

Fraser Brown is a partnership of limited companies. Any references to partners in any document should be taken as being references to the directors of the limited companies and not to individual partners of the firm.