Skip to the main content

0344 863 8000
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

Getting your documents and data under control is key to GDPR success

Getting your documents and data under control is key to GDPR success

GDPR – a definition

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

GDPR – what does this mean for you?

But you don’t need to become a legal expert overnight to start making a difference. Simple guidelines are available from the ICO and summarised below. And you can make a start by getting the right tools and approaches in place to improve how you handle data that can reduce costs and improve productivity as well as ensure compliance.

There’s great advice and resources available on the Information Commissioner’s website with 12 steps highlighted below:

 1.    Awareness

Make sure key decision makers in your organisation know about the changes to the law around data protection, and appreciate the impact on the organisation.

2.    Information you hold

Document the personal data you hold. An information audit is an ideal approach.

3.    Communicate privacy information

Review and change your privacy notifications ready for GDPR implementation

4.    Individual’s rights

Check procedures. For example, how would you go about deleting personal data?

5.    Subject access requests

Requirements are changing; review procedures to ensure you meet them

6.    Processing personal data

Look at how you process data, its legal basis and how you document this

7.    Consent

You need to review how you are seeking and recording consent to reflect the changes in regulations

8.    Children

How will you verify ages and gather parental or guardian consent for data processing?

9.    Data breaches

Ensure you can detect, report and investigate a personal data breach. 

10. Privacy access assessments

Check out you will apply the ICO guidance to your organisation 

11. Designated Data Protection Officers

Appoint someone to take responsibility and manage governance

12. International

If you operate outside the UK, check out which supervisory authority you come under

Find the full information on 12 steps to take now for GDPR from ICO online:

 Getting GDPR preparation under control

Understanding and controlling the documents and data held within your organisation is a key requirement. Since your organisation has been gathering and storing data since it began - whether this is job applications, sales enquiries, contracts or student records - a first step is to put tools in place that can quickly analyse large batches of documents. Automatically locating personally identifiable information and classifying it into groupings is far more efficient than manual, paper-based alternatives.

Neil Maude, general manager at Arena Group, explains: “You can start applying automated tools to new documents as they are created within your organisation or arrive in your mailroom, or retrospectively whatever the size of your archive or working file systems. This is the first step to get control of your existing body of information, however it’s currently stored. This can be an efficient way of taking control of your processes and getting a handle on the risks around the data you are already holding.”

One key test for compliance under the new regulations will be how an organisation can ensure every individual’s “right to be forgotten” obligation is enforced, since this is much more onerous under GDPR. Any organisation may be requested to delete all information related to a particular individual. This may be relatively easy within a specialist software application such as a customer relationship management (CRM) system or enterprise resource planning (ERP) business process management software that currently manages some of your back office functions. However, this will be highly labour intensive, time-consuming or near impossible with unstructured data and documents that are typically found in every organisation.


For example:

Paper documents

These would need to be located and potentially checked by eye whether they relate to employee records, applications, correspondence, financial transactions or general filing.


These would be searchable, but run the risk of personal folders and the scope of the search being insufficient. Also email attachments would not be found in the email system text search – especially attachments which are scanned images rather than electronic documents. 


General file areas are difficult to search. They require a slow one-time search or an expensive indexing process. Also, there is the issue of scanned information which does not appear in the text index, and of omitting an individual’s personal stores of data and documents on local drives.

Effective tools, such as Arena’s mstore software, enable the scanning and storage of documents and data that transform processes into easy to manage and compliant ways of working.

Similarly, changes to GDPR mean that the gathering and recording of consent to use personal contact details, presents new challenges. It will no longer be sufficient to give options to opt out of using personal contact data as is the current common practice. An organisation must ensure that consent for use of personal data is freely given, specific, fully informed and revocable.

In order to continue day-to-day operations, an organisation should be able to collect personal contact details whilst remaining compliant with the requirements of GDPR.  Arena’s mstore software offers the opportunity to ensure that current data can continue to be used after the May 2018 GDPR deadline, cleansing current databases so that data can continue to be used for specific purposes.

The ability to record that consent has been given for a specific purpose is also imperative. For example, when a business card is shared at a meeting or trade show, the issue is to confirm and record what consent is and is not being given and for this system to be auditable so consent is proven.

Act Now!

The key message is to start acting now to avoid hitting the May 2018 deadline without the right things in place to ensure compliance. “It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions…. This could have significant budgetary, IT, personnel, governance and communications implications.” ICO


Changing basic ways of working is no longer the preserve of forward-looking organisations looking to adapt processes and working methods to create an edge, reduce costs or increase productivity. Since no organisation is immune to the data protection regulations and the fines for non-compliance are significant, GDPR is a driver for change and investment for every organisation. Introduction of any new technology should also be done with data protection considerations from the outset, so it’s also important to work with a technology partner that is informed, since failing to do so would also constitute a breach of regulations.

However, the imposition of legal enforcement is balanced by the benefits the organisation can realise more widely from making information and data more accessible and efficient to work with. Now is the golden opportunity for ever organisation to become leaner with their work flows, but with how data is being used and managed coming sharply into focus, the need to strengthen defences and protect from costly fines and crisis management to close the gap.

To find out more on how Arena are helping organisations prepare for GDPR, speak to your account manager or contact


Expert News | Blog

View all news

© 2017 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.