GUIDE TO BUSINESS GDPR COMPLIANCE

STEP BY STEP TO COMPLIANCE

Implementing and maintaining compliance with the GDPR could have significant resource implications, especially for larger and more complex organisations. Make sure the decision makers, key people in your organisation and your employees are aware of the extensive obligations imposed by GDPR.

If you don’t know how personal data flows through your internal systems, you don’t know how it is controlled. Here are some questions to ask yourself:

From what sources do I collect the Data?

What kind of Data is collected from these sources?

Why do I collect the Data?

How is the collected Data processed?

When is the Data disposed of?

Do I have consent to collect this Data?

Why does my website require this Data?

Where is this Personal Data stored?

Who all has access to this Data?

Do any third parties hold this personal data? If yes, how do I control their processing of personal data?

Are these third parties based outside the EEA? If yes, what mechanism do they have in place to protect personal data from being accessed by foreign bodies or from being used for purposes other than those permitted under the contract with that third party?

How long does this personal data need to be kept? Can any of this information be deleted or anonymized?

These issues sit at the heart of data protection risk management. If you don’t know what data you hold and what you do with it, you can’t assess or monitor your compliance with data protection requirements.

Private sector organisations need a DPO if their core activities consist of:

  • processing operations which require the regular or systematic monitoring of data subjects on a large scale, or
  • large-scale processing of sensitive or criminally-related data

For many private sector, commercial organisations, the question is not ‘do we have to appoint a DPO’; it’s ‘should we appoint a DPO’.

Data protection by design is often overlooked by organisations when considering their GDPR compliance obligations. This is understandable, as Data protection by design is an intangible, all pervading concept that can be difficult to translate into specific actions, particularly compared to other discrete requirements of the GDPR regimes.

However, there is a dedicated section in the GDPR about Data protection by design (Article 25), supplemented by extensive European regulatory guidance.

In essence, Data protection by design involves considering data protection and privacy issues upfront in everything that is done. This means integrating or ‘baking-in’ data protection into processing activities and business practices, from the design stage right through the lifecycle.

Providing privacy information is a fundamental requirement of the GDPR.

The first step is to identify and record all the privacy notices given by your organisation, eg on your website, intranet or terms of business – draft Privacy Notice Register.

You must also draft:

Data protection policy of the business.

Website Privacy Policy and Cookies policy.

Data Protection Privacy Notice for employees.

Data subjects have a variety of rights over their personal data (though such rights may not apply or be limited in certain circumstances). These include rights to:


—know why their personal data is being collected, how it is being used and who it is being shared with (right to be informed)

—receive a copy of their personal data on request; when a data subject makes this kind of request, it is known as a data subject access request (often referred to as a DSAR) (right of access)

—receive a copy of their personal data in a format which is easy to store, review and share, thereby making it easier for individuals to obtain and re-use their own information by moving or copying it from one IT environment to another (right of data portability)

—correct incomplete or wrong data about themselves (right of rectification)

—ask for any processing of their personal data to be put on hold while other issues are resolved (right to restriction of processing)

—object in certain cases to processing of their personal data. The processing will generally still be allowed if the organisation can show its reasons (eg public or legitimate interest) for processing outweigh the individual’s rights but if the individual objects to use of their data for direct marketing at any time or withdraws a consent upon which the processing was based then the processing must stop immediately (right to object)

—object to any processing or profiling done without any human input (ie automatic processing) to make decisions which will have a significant legal impact on them. This right is designed to protect data subjects against the risk that a potentially damaging decision is made without human involvement (right not to be subject to automated individual decision making)

The individuals whose personal data you process have a range of rights—known as data subject rights.

In most cases you will not be able to charge for complying with a data subject access request (DSAR) and normally you will have one month to comply—and manifestly unfounded or excessive requests can be charged for or refused. However, if you want to refuse a request, you will need to have policies and procedures to demonstrate why the request meets the relevant criteria.

You will also need to provide some additional information to people making requests, eg your data retention periods and the right to have inaccurate data corrected.

You should review your internal processes for dealing with DSARs and determine how you will handle requests within the timescales specified by the GDPR and provide the information required by the GDPR.

If your organisation receives a large number of DSARs, this could have a significant impact and you may wish to conduct a cost/benefit analysis of developing functionality for people to access their own information on a self-serve basis, eg online.

Check your procedures and work out how you will react if someone objects to you processing their personal data or asks to have their personal data deleted. Can your current IT systems facilitate the location and deletion of data or do you need to invest time and money in some form of enhanced functionality? Who will make the decisions about deletion when requests are received?

Review your direct marketing processes (including those of any service providers). Are you able to remove data subjects who object to direct marketing?

You need the following documents:

Policy on data subject access requests

Data subject requests register

Response to data subject request

Data subject access request form

Where you transfer the personal data internationally (outside the EEA), you must satisfy and comply with requirements of the GDPR (Transfers of personal data to third countries or international organisations).

Essentially, you must have a valid legal mechanism for the transfer, ie:

– an adequacy decision

– appropriate safeguards like standard contractual clauses (SCCs) or binding corporate rules, or

– a derogation

These transfer restrictions apply to controllers and processors and both to the initial transfer, and to any ‘onward transfers’. Such ‘restricted transfers’ may only occur where one of a limited number of mechanisms are in place. The most commonly used mechanisms are official adequacy findings, standard contractual clauses or Binding Corporate Rules. The requirements relating to international transfers can be one of the most challenging areas of data protection law in practice.

Your first step is to map your data flows and identify any transfers of personal data outside the EEA. This may already be known to you and reflected in your data processing register or inventory.

Once you know whether you transfer any personal data outside the EEA, where to and why, you can set some priorities. Realistically, if you engage in multiple international data transfers, you cannot assess all of them simultaneously.

Having excluded transfers based on an adequacy decision, you may wish to prioritize any transfers to the US, because this is an area of focus for privacy activists.

You should then work your way through your other international data transfers. When determining priorities, you should consider:

– the volume of data transferred

– the sensitivity of that data, particularly if special category personal data is involved

– whether you have any reasons for concern about data subjects rights and protections in the country to which the data is involved

At all stages, you should document your assessments, including any information you obtain from the data recipient.

GDPR define a ‘personal data breach’ as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Under GDPR there are obligations on controllers to report certain significant personal data breaches to regulators and / or data subjects and obligations on processors to report personal data breaches to the controller.

You must notify the data supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it. The only exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, you must also communicate the breach to those data subjects without undue delay. This is not subject to a long-stop of 72 hours as in the obligation to notify the data protection supervisory authority. In fact, the GDPR state that data subject notification should be made as soon as reasonably feasible and in close co-operation with the supervisory authority, respecting guidance provided by it or other relevant authorities, such as law enforcement agencies. This suggests you should notify the data supervisory authority first before communicating with data subjects.

Make sure you have the right procedures in place to detect report and investigate a personal data breach. You must draft the following documents:

Personal data breach plan

Data breach register

Data breach monitoring record

Data breach assessment and action plan

Prevention is always better than cure. Ensure your organisation’s information security arrangements are reviewed on a regular basis.

Where an organisation is not established in the EEA but subject to the extra-territorial reach of the GDPR (provides services directly to EU consumers) it will often be required to appoint a local representative in the EEA.

The GDPR requires you to appoint a European representative if you:

– are based outside EEA;

– have no offices, branches or other establishments in the EEA, and

– offer goods or services to, or monitor the behaviour of, individuals in the EEA.

You will need to establish whether the obligation to appoint a European Representative applies to your firm. If so, you must take steps to comply with the obligation to appoint a Representative.

The appointment must be in writing and should set out the terms of your relationship with the representative.

A DPIA does what the title suggests, ie assesses the data protection impact of processing activities, eg a new project. Generally, a DPIA is conducted at the start of a project that could have data protection implications, eg rolling out a new document management or HR system.

A DPIA must be carried out by a controller whenever the actual or proposed processing is likely to result in a high risk to the rights and freedoms of data subjects. Regulators have specified many specific circumstances in which DPIAs are required.

Here is a list of the sort of projects that might require a DPIA, eg:

-new IT system for storing and accessing personal data

-data sharing initiative where two or more organisations seek to pool or link sets of personal data

-proposal to identify people in a particular group or demographic and initiate a course of action, eg marketing

-using existing data for a new and unexpected or more intrusive purpose, eg analysing clients’ likely legal needs

-new surveillance system (especially one which monitors the public) or the application of new technology to an existing system (eg adding automatic number plate recognition capabilities to existing CCTV), and

-new database which consolidates information held by separate parts of an organisation


Conducting a DPIA is a preventative measure. If you assess and address the risk to data security and privacy at the start of the project, you are far less likely to need remedial action midway through or, worse, after your project has gone live.

Consider your organisation’s strategic plan. Are there any high-impact or high privacy-risk projects or activities within the foreseeable future that may trigger the need for a DPIA?

Generally, a DPIA should be conducted at the start of a project that could have data protection or privacy implications, eg rolling out a new stock management, customer relationship management (CRM) or human resources system.

Where a controller contracts with a processor, or a processor sub-contracts its processing service to another processor (a ‘sub-processor’), the GDPR require that certain contractual provisions are put in place (unless the processing is governed by a legal act, which is unlikely).

Ensure any new commercial agreements with data processors are GDPR compliant and consider whether it is possible to amend contracts with existing suppliers.

Controllers must ensure they undertake appropriate due diligence, accountability, and compliance actions and put in place appropriate arrangements when sharing or receiving personal data from other controllers. That includes putting in place certain additional minimum arrangements required by the GDPR where the controllers jointly determine the purposes and means of processing (so-called ‘joint controllers’).

GDPR recognise that children (those under 18) need particular protection when their personal data is collected and processed because they may be less aware of the risks involved. As such, particular care must be taken when processing children’s personal data to ensure that any additional requirements relating to children’s personal data are complied with.

Both controllers and processors are subject to extensive record-keeping obligations (eg further to the accountability principle on controllers and Article 28 of GDPR and specific record-keeping requirements further to Article 30 of GDPR).

Controllers must also comply with a number of specific requirements of the relevant regime which vary between different EEA states applying the GDPR.

READ MORE ABOUT BUSINESS COMPLIANCE