You do not talk about GDPR…

The second rule of GDPR is: you DO NOT talk about GDPR.

If this is the general attitude in your organisation, time is running out.  GDPR was adopted on 27th April 2016 and will take effect on 25th May 2018.  Your organisation is expected to be ready by this time.

At first glance, and as summarised by the UK ICO’s 12 steps to take now guidance (recently updated), the tasks don’t seem onerous and most you should already be doing under the Data Protection Act.  However, dig a little deeper for your organisation and you may find that there is a little more to be done than it at first appears.

Taking aside the fact that there are over 50 derogations (areas where member countries can ‘tweak’ the regulation to their own ends) which haven’t been mooted yet by the UK Government – the Data Protection Bill as referred to in the Queen’s speech hasn’t been published to far – there are still things that you can do and must do.  The expectation is that you will be doing these things by 25th May 2018, not starting them then.

Second on the ICO’s list is a review of the information you hold.  For organisations with over 250 employees, or where personal or special categories of data are processed as a core part of the business operations and on a large scale, this is a requirement in law.  This relates to the Article 30 requirement to keep records of processing relating to the personal data and includes the requirement to record (for all information assets):

  • Name and contact details of the controller, the joint controller, the controllers representative and the data protection officer – note these may be varied and different depending on who processes your information on your behalf (such as data warehouse suppliers)
  • the purposes of the processing
  • the categories of recipients with whom you might share the data, or with whom you might disclose data
  • transfers to a third country (outside the EEA or a country with ‘equivalence’)
  • time limits for erasure of the data (data retention)
  • a general description of the organisational and technical security controls available

Even if you don’t need to hold this register as dictated by the regulation, I would argue that you can’t actually fully answer most of the other questions posed in those remaining 11 steps until you have a good grasp of the information assets (or data assets) you are processing.  Each asset will have a different purpose, lawful basis and require a differing approach to consent, retention etc and therefore by collating the right detail about your assets you can progress to manage the remaining requirements of the GDPR, and those steps outlined in the ICO guidance.

Doing this core work first will make life much easier for taking the other steps required.  You will be unsurprised to learn that the Flowz product not only allows you to record and report all the necessary information required by Article 30, but also allows you to assign ownership to key staff in the organisation, giving them a register of their own assets to manage and report on.  Also, it will help you with the first step, that of raising awareness throughout the organisation and at management and board level.

Go to our site at for more information.


David Birkinshaw

21st July 2017

David Birkinshaw is a privacy professional with over 10 years experience in Data Protection and Information Governance, primarily in the health arena.  You can contact him at, or email us for general enquiries at