Latest News

08 January 2018

Monday Musing: Out with the old in with the new

With New Year resolutions being bandied about we spoke to our Information Manager about how over the next five months our new year’s resolution is to prepare for the General Data Protection Regulations (GDPR).

        1. Is there a plan in place?

The BPA have a plan which is based upon the ICO’s 12 steps. We are already compliant with the Data Protection Act (DPA) so we are confident that what we have in place is robust – however there is always room for improvement.

        2. What has been your focus recently?

Part of the 12 step plan is to clean up data and although GDPR relates specifically to personal data we are taking this opportunity to clean up all of our data.

Our recent office move was an excellent opportunity to have a spring clean of our paper documents and now we are maintaining that momentum and cleaning up all electronic data.

The bulk of the data we hold is in our membership databases. Data can be extracted for operational reasons, so we are working to evaluate data that has been extracted and saved.

People often use spreadsheets to interpret data and so we are checking that they are being stored and retained only if necessary.

As well as this clean-up we are also ensuring our ongoing retention is in line with the reviewed retention policy, to prevent a need for ongoing spring cleans. Part of this process has been to update staff on the implications and requirements of GDPR and informing them of new processes where necessary. This has been very productive and staff have been helpful in raising future scenarios that need to be considered.

        3. How have you decided what to retain and what not to retain?

Having a retention policy is very important but it can be a complex and lengthy process to determine what is important to retain for your organisation.

For example, removing data too early can cause operational issues, whilst keeping data for too long may open an organisation up to issues by not correctly following GDPR legislation.  We are therefore looking at our operational processes to ensure we make the right decisions.

Some organisations have preferred to take more drastic steps than undertaking the ICO’s widely recognised 12 step checklist. For example J.D. Wetherspoons has deleted their entire mailing list however this course of action isn’t necessarily going to be the right response for a parking operator or a local authority. There isn’t a one size fits all solution so don’t be afraid to ask further questions, the first answer isn’t always the right answer.

        4. Is this a lengthy process?

There is plenty of time to make these decisions but we must not sit on our heels.

In an ideal world every organisation’s data is stored neatly in one place, but in reality this is not always the case. It takes time to look in multiple places to make the best decisions and remove unnecessary data.

In particular we have found that sometimes we end up asking more questions about our data than we first thought and it takes time to reach our final decision on whether to retain it or not.

To improve our processes for members and staff we are building in GDPR from the beginning with new systems and processes. Thinking about GDPR at the start of a process review rather than adding it in at the end will keep your compliance simple.  

        5. What are your tips for other organisations?

Throughout this process it has been clear that the most important thing to do is ensure we have thought about our data and its retention. Our advice would be not to be afraid of deleting or retaining data but make sure you have clearly understood the reasons behind your decision.

Some data may also be retained in its present form as long as it has been considered and there are valid reasons for this. The overall message is there is no reason to panic!

To help us all prepare the ICO are releasing further information and guidance later in January 2018 and we ourselves will be holding three events in March to assist our members. If you have any particular topics you would like to be discussed at these events please email

For now, if you have any questions about GDPR and you are a BPA Member, you can get up to 30 minutes of free advice from our dedicated GDPRLine, part of the BPA Lawline service. Phone 0345 241 3024 or e-mail


comments powered by Disqus

Regional and special interest groups for members


Regional and special interest groups for members

Recent Comments



Website Feedback Survey