Twelve Steps to GDPR nirvana… the first six cream crackers!

Paula Veysey Smith • 26 February 2018

Twelve Steps to GDPR nirvana… the first six cream crackers!

Last week we looked at a general introduction to GDPR – if you missed that article please do go and look on our website where that, and all my weekly newsletters, are published. This time around we shall actually get stuck in so go get a cuppa tea – you’re going to need it!

The Information Commissioner’s Office (ICO) have published a twelve-step guide for compliance; let’s look at six of those steps and how they relate to the small business – I’d do more but it’s a bit like trying to eat 12 cream crackers at one time!!!

1. Awareness

You need to know that the law is changing to the GDPR. Many of us are already compliant under the Data Protection Act (DPA) so what we need to do is assess the impact that the new regulations will have on our organisations and what we need to do to become compliant.

2. What information do you hold?

You should document what personal data you hold, where it came from and who you share it with. You may need to undertake an information audit. This can be quite a simple task but you really need to take a couple of hours to review the information you hold. Doing this will enable you to comply to the GDPR’s accountability principle, which requires that organisations demonstrate that they have written data protection policies.

3. Communication Privacy information

When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This can be done through a privacy notice or, for many small companies, at the time you collect the data. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.

4. Individuals Rights

On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted.

5. Subject Access Requests

So, if you are contacted by a client of whom you hold data you need a policy on how you will handle such a request. Again, this is not difficult but in that morning you take out to contemplate GDPR make writing a Subject Access Request Policy one of your goals.

6. Lawful Basis for Processing Personal Data

You will also have to explain your lawful basis for processing personal data when you answer a subject access request. The lawful bases in the GDPR are broadly the same as the conditions for processing in the DPA. It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so. You should document your lawful bases in order to comply with the GDPR’s accountability requirements.

…so, with six cream crackers in our mouth I think we’re about dried out! Go have a sip of your tea! We still have consent, breaches and protection of children to go through!

I hope that this blog, dry as it is, does give you some positive pointers about the new GDPR. I honestly believe that it is not as bad as it sounds and with some planning every small business can easily achieve compliance.

Next week we will look at the next six steps and what you can do to reach that GDPR nirvana.

by Paula Veysey-Smith 8 July 2026
The finish line isn't just a destination. It's proof of everything you put in to get there. “Nothing feels so good as when you've succeeded at something you set out to do.” We made it. Seven letters, seven posts, and one very important journey. If you've been following this series from the beginning, you'll know that back in January we started with a goal — a triathlon in July. And as I write this, sitting in the garden with an iced coffee and a medal around my neck, I can tell you: it happened.  R is for Reward. And it might just be my favourite letter of the lot.
by Paula Veysey-Smith 8 July 2026
Setting a goal is just the beginning. What keeps it alive — and keeps you moving towards it — is what you do in between. “Evaluating what you're doing is so important. What worked, what didn't, what can I do better?” We're six letters into the SMARTER framework now. We've covered Specific, Measurable, Achievable, Relevant and Time-bound. Today we reach E for Evaluate — and I'll be honest with you, I think this might be the most important letter of the lot.
by Paula Veysey-Smith 26 June 2026
A goal without a deadline is just a wish with good intentions. Here's why putting a date on it changes everything. “Having that end date is something that gives you the enthusiasm, the commitment, and the motivation to continue.” We're now on T in the SMARTER Goals series - and this one is beautifully simple. T stands for Time-Bound, or Targets. It means giving your goal an end date.
by Paula Veysey-Smith 26 June 2026
Short-term goals are more powerful when they're built towards something bigger. Here’s why relevance is what keeps you going when motivation dips. “Goals that are shorter term in nature, but built to a bigger vision, are the most motivating that you can get” So far in this series we've looked at S for Specific, M for Measurable, and A for Achievable. Now we come to R for Relevant -- and this one is about making sure your goals are connected to something that genuinely matters to you.
More posts