How to prepare for GDPR

  • To understand what GDPR is.
  • To learn what processes firms will need to put in place.
  • To understand how the regulation can benefit a firm.

Accountability and governance

Under GDPR, the significance of accountability and governance principles will be elevated. Companies will be responsible for how they collect, store and use personal data, including having in place data protection policies and impact assessments, in addition to having relevant documents on how data is processed.

To demonstrate that they have complied with these principles, firms should take the first step of communicating these new policies and systems to staff through comprehensive training in business practices, protocols and internal procedures.

Companies will also be responsible for reporting personal data breaches to the Information Commissioner’s Office (ICO). In recent years, high-profile household names across multiple sectors, including banking, telecoms, professional services, leisure and retail, have put their employees and customers at risk with pertinent information, including names, addresses and personal credentials, stolen in a security breach.

Under GDPR, a data breach is more than just losing a customer’s personal data.  It is defined as the “destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. Notification of breaches become mandatory in cases where the breach is likely to “result in a risk for the rights and freedoms of individuals”.

Article 33 states this should be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

As companies will now be responsible for data security, all stored data should be reviewed for obsolete and duplicated information. Businesses should also be proactive by preparing a contingency plan for a possible data breach and continuously review organisational practices to not find themselves implicated for being non-compliant.

According to consultancy KPMG’s Government’s Cyber Governance Health Check 2017, over two thirds (68 per cent) of FTSE 350 boards have not received any training to deal with a cyber incident, showing just how unprepared many of the world’s largest firms currently are for a deadline that is quickly approaching.

Additionally, Article 37 discusses the designation of a data protection officer in the case where companies have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data. To manage this requirement, a third-party system should be considered for those firms who do not have the resources to introduce a compliance or data officer role.


The conditions for consent have been strengthened, and under Article 7, consent should be “clear and distinguishable from other matters and provided in an intelligible and easily accessible form”, and there ought be some form of clear ‘affirmative action’, meaning an opt-in rather than an opt-out. If your business relies on individuals’ consent to process their data, now is the time to begin securing their approval and to validate that you have received it prior to GDPR coming into force. 


Please answer the six multiple choice questions below in order to bank your CPD. Multiple attempts are available until all questions are correctly answered.

  1. How does Mr Cooper describe the changes that GDPR will bring?

  2. What does Mr Cooper say GDPR will be broader than in terms of scope?

  3. According to Mr Cooper, what do many people mistakenly believe about GDPR?

  4. What does Mr Cooper say all stored data should be?

  5. Individuals have a right to what, according to Mr Cooper?

  6. Mr Cooper says the strict guidelines around data security will reduce risks by making businesses less vulnerable to security threats, data loss and breaches. True or false?

Nearly There…

You have successfully answered all the questions correctly, well done!

You should now know…

  • To understand what GDPR is.
  • To learn what processes firms will need to put in place.
  • To understand how the regulation can benefit a firm.

I completed this CPD in

To bank your CPD please complete the form below.

Were the stated learning objectives met?

Why weren't they met?

What did you learn from undertaking this CPD exercise?

Why did you undertake this piece of learning?


Congratulations, you have successfully completed and banked this piece of CPD

Already Banked!

You have already banked for this article.

To bank your CPD you must or


One or more questions have been incorrectly answered,
 please review your answers and try again.

Please complete all the above text fields to bank your CPD.

More Investments CPDSee my completed CPDSee all CPD