In our last post, we covered the basics of the General Data Protection Regulation, due to come into effect in May 2018. In this post we’ve scoured the minefield of information out there to look at the legislation in more depth, providing a list of things to consider for you to get your business on the road to compliance.

Understand the basics

It might seem like we’re stating the obvious, but the first step is knowing the who, what, why and when of the GDPR, and ensuring that everyone who will be affected by this is aware of this. Read last week’s blog post which simplifies the jargon to help you understand the fundamental principles of the GDPR.

Audit your data

Before you can think about changing processes for the future you need to see what data you already hold, how it is stored and processed, who has access to this data, and who it is shared with.  Mapping the flow of data in your organisation can help you evaluate your current policies and highlight what changes are required for you to be fully GDPR compliant. It will also help you to identify who are the data processors and the data controllers within the organisation, enabling each to clarify their responsibilities in relation to data protection. If any of the data you hold and process is classed as “sensitive”, there are additional protection rules to be aware of.

Sensitive data includes:

  • Genetic data
  • Ethnic origin
  • Religious beliefs
  • Biometric data
  • Political beliefs
  • Sexual orientation
  • Health information
  • Trade Union membership

Audit current policies

As with your data audit, this is also a great time to audit your policies too. Privacy notices online, and data protection policies will need to be updated to include the additional areas covered by the GDPR. Generally speaking, the new legislation just requires you to make all your policies regarding data to be crystal clear to the individual.


  • Identifying your organisations’ lawful basis for processing personal data.
  • Review how you gain, record and manage consent. For more detailed guidance on consent from the ICO click here
  • If you collect and process any data relating to children, consider whether you need age verification policies or parental/guidance consent policies in place

This policy audit will help you identify any training needs too.

Subject Access Requests

If you don’t already have a formal procedure on how to handle subject access requests (SAR), then now is the time to create one. In most cases you will not be able to charge for such requests, and the timeframe to respond has been reduced from 40 days to 30 days. If a request is excessive or unfounded you may charge for this, or refuse to comply, though in case of refusal, within a month you must provide a reason why, and notify the subject of their right to complain to the supervisory authority.

Data Breaches

The GDPR imposes a duty on organisations to report certain types of data breaches to the ICO, and in certain cases, to individuals. Reporting to the ICO is required if the individuals’ freedom is compromised, if they are at threat of discrimination, or any other financial or social disadvantage. Such scenarios would also require the breach to be reported to the individual too. Failure to report such breaches could result in extra fines in addition to the fine for the breach itself, so it is important to develop a data breach management process.

Privacy by Design

This principle is set out as a formal requirement within the GDPR, and requires a Data Impact Privacy Impact Assessment (DPIA) to be carried out in certain situations, where there is a high risk of privacy becoming compromised. For example, when implementing new technology, or introducing a new database. The ICO’s code of practice for carrying out DPIA’s can be found here.

Data Protection Officers

It’s a good idea to designate a person within your organisation to take responsibility for the data protection policies and practices, however this doesn’t need to be a formal Data Protection Officer (DPO) job title unless your organisation is:

  • A public body (except courts)
  • Carries out large scale specialised data processing, such as health or criminal records
  • Carries out regular large scale monitoring of individuals

International Organisations

If operating in more than one EU member state, an organisation must establish and document the lead data protection supervisory body to report breaches to. This will usually be in the same location as where most data processing activity decisions are made.

KMB Shipping has 30 years’ experience in delivering our full range of shipping services to over 70 different countries, to a growing international client list. As members of BIFA, we offer a flexible and fully tailored service, managing the whole shipping process for you from initial phone call to safe delivery, including export packing services. Contact our professional, friendly and highly experienced team today to discuss how we can accommodate your shipping requirements.