Cohesion Digital 6 Steps for a GDPR Discovery Road Map

Go back

Step 1 Discover and identify: 

  • Find all personal data records – both on and offline
  • Where data is stored, detailed inventory (good CRM system helps!)
  • Volume and variety of data stored
  • How personal data is used, accessed and is it held safely

Step 2 GDPR Policy and Procedures review:

  • Privacy rights
  • Data storage
  • Data deletion
  • Right to request data
  • Right to be forgotten
  • Data for minors
  • Transferring portable data
  • Obtaining and managing consent
  • Handling requests for data exchange
  • Managing data change requests
  • Action Change requests within 30 days
  • Reporting and storing data breaches
  • Storing records: where and how long
  • Length of time records stored
  • Detail why records are stored for any length of time
  • Name designated Data Protection Officers (DPO) / data handler

Step 3 Action & Security controls

  • Manage Data information requests within compulsory 30 day time frame
  • Set up robust security controls to detect data breaches
  • Establish processes to respond and report data breaches
  • Detect, report and investigate breaches and keep records
  • Children’s data processing: Verify ages and gain individual consent from guardians

Step 4 Awareness & Training

  • Raising awareness for internal staff and external contacts
  • Introduction and ongoing training for all members staff
  • Training and communicating with staff

Step 5 Communicating & Communications

  • Clear and transparent communication policies for staff and service users
  • Detail how personal data is held, managed & used
  • Develop a staged timing plan to ensure no-one is missed out

Step 6 Obtaining Data & Consent

Last but not least obtaining data and consent is an earth shattering change for organisations as it impacts how we communicate and market the business. The opt-out option is no longer an option. Instead you must use double opt-in principle and with no conditions of service attached.

How to obtain consent:

Consent must be Must not be
√ Clear statement and affirmative action ×     Pre-ticked boxes
√  Freely given ×     Not condition of receiving service
√  Fairly processed ×     Confusing language
√  Easy to withdraw  


Incorporating the 6 steps into your policies, project management and data activity you will hit every milestone on the road to GDPR compliance in Spring 2018.

Last but not least you must manage GDPR Accountability

This is when it becomes even more complicated. Under GDPR each organisation is held accountable for data management. What’s more, you are expected to be self-regulating. The burden of proof to prove you are following the directive lies with your company’s Data Handler not with the external auditors.

Under the banner of accountability, the roles and responsibilities for handling staff and client data should be managed by a ‘named’ person.

The accountable person must have in-depth GDPR knowledge, provide support to staff and policy makers and hold the authority to make relevant decisions.  There’s 3 options to consider for managing accountability:

  1. Data Protection Officer: a leadership role to oversee all GDPR strategy and accountability for organisations regularly handling large volumes and varieties of data.
  2. Data Handler: named person overseeing and integrating GDPR into projects and policies
  3. External company – contract out the role to a designated company (ideal for smaller businesses)

As always, there’s exceptions to the rule. You have no option but to appoint a DPO if you are a:

  • Public authority (except courts acting under judicial authority)
  • Managing data on a large scale regularly
  • Managing specialist or sensitive data on a large scale such as health or criminal convictions

What now

As a digital agency handling data every day we can’t stress enough how important getting GDPR right first time is for your organisation and above all for anyone you hold personal data records on.

Talk to a legal expert as soon as possible.  If time is against you and the experts are busy talking to your competitors you face costly penalties and risk damage to your reputation.

Get in touch

To carry out your organisations data mapping exercise or discuss GDPR requirements contact Alistair Macneil today on 0141 249 0641 or

If you looking for legal advice to update privacy and data policies get in touch with the experts at MacDonald Hendersons

lets create something great

Get in touch and send some basic info for a quick quote.

Start Your Project

cohesion Events

Invite only eCommerce events in in Leeds, Manchester, Liverpool London, Glasgow

Register for an invite