GDPR Assessment as Case Study


In early 2017 I was approached to look at; what was needed to be done by a Small Business to comply with the upcoming introduction of the General Data Protection Regulation (GDPR). In the UK the GDPR is handle by the Information Commission’s Office, (the Goverment website can be found at

BREXIT: There are many articles on the GDPR, however my summary of all of them: “After Brexit Businesses will still need to comply”.

The Small Business had a large number of volenteers and a small number of employees.

Approach Taken

From my agile background, I decided to focus on “Individuals and Interations” over the process and tools to achieve this. To use these interactions to raise awareness and gain accept for processes to be recommended. Some would say, I looked to take the client on a journey with me.

  • Discuss informally with individuals the current level of understanding and expectations of the GDPR
  • Carry out an GDPR assessment
  • Recommend “Lawful Basis” on what data should be held and gained Chairman’s approval to proceed
  • Prepared deliverable to allow Company to implement GDPR
    • Prepare a GDPR action plan,
    • Prepare a list of recommendations
    • Prepare a GDPR Privacy Statement
  • Provide client with deliverables above prior to a Board Meeting to accept
  • Make self available to Board members informally to discuss deliverables
  • Communication recommended actions at Company Board

What was done

I had open social conversations with people in the business, particularly the volenteers, and from this identified the online and offline data containing personal information. This I found more useful than the initial formal meeting; where the one I had was constrainted by people saying the right thing.

An GDPR assessment was carried out using recommendation and resource from the Information Commission’s Office. After looking at other sites and doing some online courses I realised these were all reworkings of this into the specific domain space of the presentor.

The basic focus taken; was to identify on the Lawful Basis on which data was being held, by carrying out the assessment. This is essential to understand what needs to be done and more importantly cannot be done with an individuals data.

Once the Lawful Basis using the interactive tool had been asserted and assessment had been carried out a list of recommendations and a Privacy Statement was created.

The full ICO’s Online Assessment can be found at

What was found

Unexpected items were found. Most of this related to the Volentary nature of the Business. These areas needed a clearer seperation by the Business in the minds of those responsible. Particularly, areas such as Facebook, Twitter and other online presenses; which had grown up over decades. Here an inability to differenciate between official, used as official and unofficial accounts presense needed to be made.

What was delivered

The deliverables were:-

  • Assessment
  • Action Plan
  • Privacy Statement
  • Presentation at a Board Meeting

The action plan gave a list of immediate action positive measurable outcomes eg,, Privacy Statement on Websites, sanitising information and informal training on what can and cannot be done with data. These all had to be simple and clear so that volenteers could carry them out. Volenteers need to understand why they are carry out actions to comply with the GDPR.

Reminder List

  • Do you have a current GDPR assessment available?
  • Do you have a GDPR assessment review process in place?
  • Do you clearly understand the legal basis on which you hold and process data?
  • Do you have a current Privacy Statement?
  • Are staff and/or volenteers aware of the importance of GDPR and possible penalties for non complience?.
  • Are staff aware of what they need to do, specifically in terms of emails and sharing personal data (classically using CC instead of BCC when sending an email)?
  • Are staff and/or volenteers aware of what to do in the event of a break of privacy?