Terry McAdam highlights the key points to be noted by companies which are required to comply with the general data protection regulation.

The GDPR deadline has come and gone and companies' compliance is an on-going project. The purpose of the regulation is to strengthen and harmonise data protection for all individuals within the EU and the reforms have fundamentally changed the way organisations collect, store, share and process the personal information of customers, service users, clients and employees.

RSM’s management consulting partner, Terry McAdam continues to guide organisations through the successful design and execution of multi-phase GDPR compliance projects and will be continuing to give his advice at events over the coming months.

Here, Terry highlights six key points that organisations need to consider when embarking on the road to compliance.   



Most organisations struggle when it comes to launching their GDPR compliance project. At RSM, we advise our clients to undertake a GDPR Readiness Assessment. This short project focuses on reviewing the policies, procedures and practices which guide how you manage personal data and the technology, processes and staff involved in the delivery of the relevant activities. Depending on the scale of your operations and the extent of the personal data you manage, this gap analysis may require one to 20 days of input but it will help you identify the areas needing attention in relation to GDPR. 



The issues emerging from the Readiness Assessment will allow you to create two key documents which will guide your organisation on its compliance journey – a compliance plan and a GDPR risk register. The first phase of your compliance plan should focus on addressing those findings you consider to pose a higher risk to your entity. A secondary phase of work can seek to further boost compliance levels.



To manage the personal data and sensitive personal data you hold effectively, you must know the data. Creating and maintaining an information asset register will help you understand the relevant data you possess and process. When considering each data-related process, the register will allow you to record the type of personal data you hold, where it is stored, how long you plan to retain it, why you hold it, the legal basis on which you rely for doing so etc. Hence, the register will become a key reference document within your organisation.



GDPR will require you to revisit many of the policies which form the foundation to your data protection environment. These will include your data protection and your data retention policies. Updating the latter may pave the way to reducing the volume (and associated cost) of the personal data you manage whilst remaining true to your legal obligations to hold data. Bear in mind, that GDPR may also necessitate changes to your Employee Handbook and some ICT policy documents.



You will need to update your data privacy statements to communicate how you acquire, process, share and retain data. It is also important to declare where this data is held and on what legal basis you hold the data (consent/contractual). Consent will need to be actively provided by informed individuals. These consumers, service users or employees will also need to be advised as to how they can access information regarding their data held by your organisation. Thus, your data privacy text will need to be clearly set out within your web content, key customer-facing forms, employment contracts and within your buildings (if you operate CCTV). Internal awareness sessions are also critical in making staff aware of the changes brought about by the GDPR and the new or updated policies and processes your organisation has created in response.



Every organisation will need to develop a robust process to assess and respond to Subject Access Requests (SARs), submitted by a data subject, within 30 days. You must provide full details of the data you hold around the individual (including any images) with limited exceptions. They may subsequently ask you to erase this personal data. If they do, you must be able to action their instruction without undue delay. Likewise, you will periodically be presented with possible data breaches within your organisation. Hence, you must build an effective, efficient and well-governed process to support the notification, evaluation and communication of such potential breaches. GDPR requires organisations to report actual breaches to the Office of the Data Protection Commissioner within 72 hours of the breach occurring and you may also be required to report the breach to the individuals impacted.


*As seen in the Sunday Business Post, 18th March, 2018