A processor is any person, agency or company that does something with personal data for a data controller – – another party. The controller is the ‘data owner’ – they instruct the processor to do something with that data. Us, as a marketing agency, act both as a processor – for our clients’ data (that we hold or do something with for them) and as a controller – for our employees’ data (payroll and contact information). The starting point is to understand the legislation and to seek relevant legal guidance and advice, which is something that we’ve done. We’ve worked on a GDPR project to understand our responsibilities as a data processor. The other key aspect is to take advice and direction from the data controller – – who ultimately determines what they want you to do with their data as a processor – and act on that. Having clarity as far as agreements and contracts in place that determine this is really important also. It starts with a data audit. Understanding and reviewing the data that you hold in the systems that you manage and maintain, what that data is, how personal it is – – and drawing up an action plan for how you need to approach that for each of the data controllers. Staff training is also really important. That’s workshops, policies, processes so staff understand their responsibilities and how they can ultimately impact and affect this – – and how GDPR is going to affect the work they do on a day-to-day basis. From a data controller perspective, what you’re also then able to draw up are policies & processes that help to ensure that what they’re doing is lawful – – some of which refers to ‘lawful consent’ – a vital starting point when it comes to GDPR. Future-proofing comes from placing privacy and security of personal data at the heart of everything you do. For example, running privacy assessments and impact assessments at the start of projects, to make sure you identify any needs around personal data. What you’re able to then do is plan and prepare for that right at the beginning – – the worst thing you can do is try to retrospectively ‘fit in’ something to do with security or privacy around personal data when you get to the end. So the more you can hit that at the beginning and start to implement ‘privacy by design’ via training and workshops within the relevant areas of your business, that will be a big step towards future-proofing anything you do. Reassurance comes from a consistent message regarding the importance of this legislation and how much impact it can have on any business. It’s quite dangerous for companies to feel as though it’s not important or relevant to them – – ultimately it’s relevant to everyone and the whole aspect of a business. We’ve been really consistent with our approach to upskill our staff. This is fed by our commitment to become ISO 27001 Certified and ensure that – as a company – – we’re taking GDPR as seriously as we should and that this message is translated to our clients.