Those businesses who thought that they were too small to bother with data protection have been issued with a timely warning by the Information Commissioner's Office (ICO).

The ICO recently issued a £60,000 monetary penalty notice against a video game rental company which had suffered a cyber-attack. The ICO determined that the company had failed to even take basic steps to protect its customers personal data. Whilst this fine seems quite insignificant when compared with the £400,000 issued to Talk Talk, following a similar attack, the impact for the video game rental company will be far more detrimental given its most recent accounts indicated assets of less than £200,000.

The ICO stated that:

“Regardless of your size…If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher”.

The new General Data Protection Regulation (GDPR) will apply from 25 May 2018 and it will transform data protection for all businesses. So what are the initial steps that all organisations should take to prepare for the GDPR?

Audit & Mapping

Conduct a data mapping exercise and an audit to establish what personal data you currently process. Find out where the data is stored and who has access. Erase any unnecessary or outdated data.

As part of the audit, establish the purpose for which you process the data and the legal basis that you are relying on for processing.


Review all data protection policies and codes of conduct to ensure they comply with the new principles. If these do not exist they should be created as soon as possible.

Review existing supplier arrangements and template contracts to ensure that, in particular, the new direct obligations on data processors are covered.

Review and update existing information notices as GDPR specifies information that must be provided to individuals about their personal data.

Review insurance arrangements and assess whether your organisation needs data protection coverage.


Consider what grounds for processing do you currently rely on. Consent? Performance of a contract? Legitimate interests?

If you rely on consent, consider how you currently obtain consent. Under GDPR it must be unambiguous, active, and relate specifically to the purposes of the processing. You will no longer be able to rely on pre-ticked boxes or bundled consent.

Consider whether there is a requirement to appoint a DPO.


Train all members of staff on the new rules and ensure that any person likely to receive requests from individuals relating to personal data knows how to deal and respond.

Ensure that the relevant people know who to report to in the event of a breach. Review and update internal breach procedures and prepare incident response plans.


Keep paper trails of all data processing activity, including decisions relating to data processing, to demonstrate compliance. Ensure that privacy impact assessments are carried out when required and keep all relevant documentation.