Twelve steps to GDPR nirvana; the final cream crackers!

Paula Veysey Smith • 5 March 2018

Twelve Steps to GDPR nirvana – the final cream crackers!

The Information Commissioner’s Office (ICO) have published a twelve-step guide for compliance; we looked at the first of those steps last week but as I said then is it a bit like trying to eat cream crackers. So, tea at the ready, let’s look at the second six steps and how they relate to the small business.

1. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. The ICO has published detailed guidance on consent under the GDPR, and you can use their consent checklist to review your practices. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data. You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

To me, this is one of the biggest GDPR impacts and I would urge you all to start now looking at this area.

2. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
There are specific rules that bring special attention for children’s personal data and if you believe that this area of compliance will impact your business please do seek further ICO guidance.

3. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. This is an area that will impact larger corporations more as they will now be legally responsible for disclosing breaches at the time they happen, meaning that any member of the public will know straight away if their personal data has been affected; this can only be a good thing.

For smaller entities I believe that we should act by looking at how we hold our data and what risks there are. I have an announcement to make next week about how M:Power has acted to properly secure the personal data it holds as I have already reviewed this step to ensure that your data is as safe as it can be.

4. Data Protection Impact Assessment

It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances. If you feel that a DPIA may be mandatory in your case, please consult the ICO guidance.

It is good for all small business to carry out an assessment and document this. The assessment will identify the most effective way to comply with GDPR obligations and also meet individuals’ expectations of privacy. And the PIA is an integral part of taking a privacy by design approach. Although this may sound slightly scary it should not take too long for you to complete a PIA and it will show if you do have any areas that need improvement or of high risk.

Nearly there – just two more crackers to go . . .

5. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. In most cases that will be you!

6. International

If you do operate in more than one EU member state, you will need to determine your lead supervising state and document this. For most small business in the UK this authority will be the UK but if you do have a more complicated framework with more than a single establishment in the UK then again, I would advise you review the ICO guidance for this area.

So, time for that glug of tea as we are now done. All entities in the UK that hold personal data in whatever form are legally required to comply to the GDPR requirements. As I said right at the beginning those of us who were already working under DPA are potentially most of the way there but it is vital that you consider these twelve steps and act on them now to ensure your compliance. I believe that, with carefully consideration, this will not become just another administration burden and the quicker you act the easier it will be to ensure that you are compliance by 25th May; that is the way to achieve GDPR nirvana.

White Guy Fawkes mask with a smile, black eyebrows, and pink cheeks against a black background.

Identity Verification at Companies House – why is this being introduced and what do I need to do?

by Paula Veysey-Smith 26 August 2025
Have you ever been a victim of identity fraud? It’s very unpleasant, can cause financial hardship and always causes distress. My own son himself found out that he had been appointed a Director of a bogus Limited Company with no knowledge! I have also included a guide further down as to what to do if you find yourself in this unfortunately situation.

Xero Price Increases 1 st September 2025 – how much more will I be charged?

by Paula Veysey-Smith 10 August 2025
Now you can be excused if you’ve missed the announcement of the latest price increases by Xero. Apart from a rather low key “Pricing Update” notice and customer emails there has been little else published on the internet explaining the latest round of increases in the Xero Plans. So, here’s your opportunity to understand how Xero’s recent update will impact the plan you are on.
A calendar with a calculator and a cup of coffee on a table

What is HMRC’s Payment on Account System for Self-Assessment and how does it affect me?

by Paula Veysey-Smith 9 July 2025
With many tax payers facing yet another payment to the HMRC on the 31st July let’s answer some frequently asked questions about the Payments on Account System. When was this system first introduced? The Payments on Account system was introduced in the 1996–97 tax year , as part of the Self-Assessment overhaul. Before then, HMRC had a fragmented and less predictable system for collecting income tax from self-employed individuals and others outside the PAYE system. It was introduced to ensure that taxpayers pay tax closer to when they earn their income , rather than facing a large lump sum payment long after the end of the tax year. Why did HMRC introduce Payments on Account? There are three key reasons why HMRC introduced this system: Cash flow for HMRC : This undoubtably is a driving reason for Payments on Account as it spreads the inflow of tax revenue more evenly throughout the year rather than relying on one big payment annually after a tax demand was sent to the tax payer. Encourages prompt payment : Tax is collected in advance (based on the prior year’s bill), reducing the risk of default or late payments. Helps tax-payers budget : Although first going into the Payment on Account system is painful as your tax bill, and half of it again, need to be paid on 31st January. Once in though, it does avoid the shock of a large single tax bill by splitting the liability into two smaller payments. So how does the Payments on Account system work? Who Needs to Make Payments on Account? You’ll need to make payments on account if your tax bill is more than £1,000 and less than 80% of your tax is collected at source (e.g., via PAYE). When Are Payments on Account Due? There are two payments each year: 31 January – First payment on account for the current tax year 31 July – Second payment on account for the current tax year Each is 50% of your previous year’s tax bill (excluding Class 2 NICs and student loan repayments). Example: Let’s say your tax bill for the 2023/24 tax year is £6,000 . On 31 January 2025 : You pay the £6,000 balance for 2023/24 Plus a £3,000 payment on account for 2024/25 (50% of £6,000) On 31 July 2025 : You pay another £3,000 as the second payment on account for 2024/25 So by July 2025, you've prepaid £6,000 towards your 2024/25 tax bill. What Happens When You File Your Next Tax Return? When you submit your 2024/25 return: If the actual tax bill is £7,000 , you’ve already paid £6,000 , so you owe £1,000 by 31 January 2026. If it’s only £5,000 , you’ve overpaid and can get a £1,000 refund or offset it against future payments. If the bill is £7,000 your tax payment will be: on 31st January 26 £1,000 balance on the 2024/25 return bill AND half of the £7,000 (£3 500) balancing payment so £4,500 in total. £3,500 balancing payment on the 31st July 26. Can You Reduce Payments on Account? Yes you can. If you expect your income to fall, you can apply to reduce them through your HMRC online account or on the paper form SA303. But if you reduce them too much, HMRC may charge interest on the underpaid amount. Will Making Tax Digital for Self-assessment change the Payments on Account System? The short answer is No! The longer answer is watch this space!! Many of us professionals believe that with quarterly reporting, quarterly paying will soon follow! For more information on Making Tax Digital for Self-assessment please see our article at: https://www.mpoweraccounting.co.uk/how-will-i-be-affected-by-making-tax-digital-for-income-tax-mtd-for-itsa The Payment on Account system often causes much confusion with self-assessment tax payers. At MPower Accounting we are used to helping our clients understand when payments need to be made and how they have been calculated. As an added service we will always send a payment reminder to clients early in July so they are not caught out. We are also delighted to work with clients who want to complete their self-assessment tax returns early to determine if they are able to reduce the July Payment on Account. Do contact us if you’d like help with Payments on Account and anything to do with your self-assessment

From Corporate Finance to Business Owner

by Paula Veysey-Smith 5 June 2025
The Power of Mentorship in Tracy Bland’s Success
More posts