Data mapping your organisation to secure compliance

For privacy law compliance, it’s vital to have a clear view of the personal data under your control. This involves understanding what data you hold, what it’s for, where it’s located, where it goes, how long you keep it for and what you do with it once you no longer need it. Done in the right way, data mapping gives you precisely the information you need to create such an understanding.


Data mapping has always been good practice for data compliance. However, as we’ll see, the arrival of The General Data Protection Regulation (GDPR) makes it even more of a priority to take data mapping seriously.


For a start, the new law requires that you identify those areas where “the rights and freedoms of data subjects” could be at risk – and to take appropriate measures to manage those risks. Likewise, to reduce the likelihood of a breach, GDPR carries a range of data governance obligations; especially on impact assessments and record keeping. Once your data estate is thoroughly and accurately mapped, it becomes so much easier to stay on top of these obligations.


Here, we’ll outline the essential elements of data mapping, how it fits in with the GDPR – and how to get it right.

What is data mapping?


Data mapping tracks the flow of data to, through and from your organisation. More specifically, a data map (also known as a data flow) should give you the following information regarding the personal data under your control:


  • Where it comes from (e.g. customers, staff and third parties)
  • It’s purpose (e.g. order fulfilment or payroll)
  • The entry point; i.e. how it enters your company (e.g. a telephone call, email or online form)
  • Its format, such as Excel spreadsheet, simple Word doc or CRM customer account page
  • Where it’s stored; such as a filing cabinet, in-house server or Cloud database
  • The country it’s stored in
  • Where it’s accessible from and who has access to it


From sales calls through to order dispatch and beyond, data tends to shift format, location and viewability. This type of data flow is all part and parcel of doing business. To be fit for purpose, your data map should be able to describe your organisation’s “data story” accurately. It may also be that you data map is actually a number of data maps, or data flows.

Essential elements of a data map…


The data map for a multinational consultancy will obviously look different to that of a small online retailer. But while there’s no universal blueprint, all good data maps tend to share the following characteristics.

It covers all data processing activities

A map is only truly reliable if it covers your entire “data world”. This involves looking at all areas of the business, identifying each and every instance where data is being processed, the purposes of processing and the individual activities that are involved in that processing.

It’s highly visual

If it’s only your IT manager who can make sense of it all, the data map isn’t doing its job properly. Everyone, from the tech-sceptic CEO through to on-the-ground account managers, should be able to refer to that map and see what happens with the personal data your company controls and handles. Diagrams, charts and infographics are all useful visual tools.

How a data map fits in with compliance


Here are some of the key ways in which data mapping helps you get GDPR compliance right.

Your record of processing activities

Under GDPR, apart from a limited exception for small and medium sized organisations, businesses are under a duty to keep an up-to-date record of all data processing activities. Data mapping enables you to cover this in a thorough, systematic way. It means that you can identify and visualise the complete flow of data through your business – so it’s much less likely that any processing activities are overlooked.

Protecting data subjects’ rights and transparency

The GDPR introduces new rights for individuals and enhances existing rights (all of which you can read about here). Allied to this is the principle of transparency – the duty on businesses to be upfront and explain in the clearest possible way to individuals what is happening with their personal information. Having an accurate and clear map at your fingertips can make it easier to convey the required information to data subjects in the most appropriate way.

New data processing activities and privacy impact assessments (PIAs)

A PIA is a process of identifying, assessing and reducing privacy risks. Once the GDPR is in force, you’ll need to carry out a PIA for all new processing activities where there’s a high risk to the rights and freedoms of individuals affected. This could include the introduction of new products, or changes to your data management systems.

As part of your PIA, and using your existing data map, you can track how the proposed new activity alters the flow of data in, out and through your organisation, identifying any data protection issues along the way.

Next steps to take


Here are some tips to help you get started with data mapping.

Look for compliance-focused mapping tools

The principle of accountability is one of the cornerstones of the GDPR. As well as being compliant, firms need to have the processes in place to actually show the regulator that they are getting things right.

That’s why, when it comes to tools to help you with data mapping, it’s worth honing in on those that are built specifically with GDPR compliance in mind. In other words, look for ones which not only help you map your estate, but also refer directly to your specific GDPR obligations and reporting requirements. The Privacy Compliance Hub for example has a clear templates for data mapping, record keeping and privacy impact assessments that leave nothing out and ensure that everyone in an organisation understands their responsibilities effectively.

Make it collaborative

As we’ve seen, data mapping demands examining each area of your business under the spotlight. For this, it’s likely that department managers will need to get heads together with your compliance project manager. Tools that promote easy collaboration during the process of ‘map building’ should be especially useful.
Bringing it all together with The Privacy Compliance Hub…

Designed with the GDPR in mind, The Privacy Compliance Hub can help your organisation get all aspects of this new data law right – and includes data mapping capabilities. To discover more, check out our demo.

Data protection breaches : best practice under the GDPR

The General Data Protection Regulation (GDPR) requires you to take “appropriate” measures to ensure that personal data processing is carried out in a secure way. This seems a very broadly-worded requirement, but it is not accidental. Every organisation is under a duty to think carefully about what’s appropriate for them, taking into account the risks to the rights and freedoms of individuals that a data breach might pose.


In addition, and for the first time, GDPR requires all data controllers to report certain types of data breaches to their national data regulator (in the UK it’s the ICO). You must also keep an internal record of all personal data breaches.


You might be wondering what exactly the lawmakers mean by a “personal data breach” as well as what should you do if you are hit by one. Decision makers need to be aware of how they can safeguard their organisation against breaches and stay on the right side of the regulator. If this sounds a lot like the things you have been asking yourself, then read on to find out more.

The GDPR definition of personal data breaches


GDPR only concerns personal data. So, if it’s just your business accounts or intellectual property that are affected, these rules don’t apply. If it’s information that can identify a real person (e.g. customer or HR data), then the GDPR does apply.


A breach means loss, destruction, alteration, unauthorised disclosure or access to personal data. It could be deliberate or accidental. Some real-life examples include the following:


  • Water damage to your warehouse leading to destruction of paper-based customer records
  • An unauthorised login enabling someone from outside your organisation to access your CRM platform
  • A systems failure leading to permanent loss of HR data spreadsheets
  • A hacker unleashes a spyware packet, enabling them to access your entire data estate at will
  • A departing manager ‘goes rogue’ and downloads your customer contact file before she leaves

Do I need to report personal data breaches?


You might be familiar with what constitutes towards a data breach, but still uncertain about what data breaches you need to report. Here, we have outlined practical advice on what to do in the event of a personal data breach.


Internal reporting

All personal data breaches must be recorded in an internal register of data breaches. For each breach, your internal record should answer these questions:

  • What happened and when?
  • How did it occur?
  • What were the effects of the breach?
  • What action did you take to remedy it?

Reporting breaches to the regulator

Under the GDPR, you are required to report a personal data breach to the regulator if it is likely to result in a “risk to the rights and freedoms of data subjects”. This includes the right to privacy (e.g. id and email).


There’s still some debate over what might and might not amount to a reportable breach under this definition. What’s clear, however, is that it’s not how the breach occurred that determines whether you need to report it. Rather, it’s based on the risk to the individuals whose data is affected.


Let’s say your customer database becomes corrupted. Within a day, you are able to put a backup version into operation, and from your security event management system, you are satisfied that there has been no unauthorised access to that data. The rights and freedoms of data subjects have not been affected – so there’s no duty to report to the regulator (although you should still record it internally).


Meanwhile, an employee reports the suspected theft of a USB stick containing copy customer emails. It wasn’t password protected – and neither was the data encrypted. This almost certainly would be a reportable breach.

When and how to report to the regulator


You must report to the regulator “without undue delay”, and no later than 72 hours of becoming aware of the breach. The ICO has a helpline and standard notification procedure for this, which you can check out here.

Informing the individuals affected


If the data breach is likely to result in a high risk to the rights and freedoms of individuals, you also need to notify those individuals. This includes telling them in clear and plain language what has happened, what it means, what you’re doing to put things right and what they can do themselves to minimise the risks posed.


A “high” risk includes things like identity theft, fraud, financial loss and damage to reputation. In other words, if there’s a risk of customer data falling into the wrong hands – or of sensitive information being made public, you need to inform them.

Protecting your organisation against data breaches


The ICO does not punish organisations simply for suffering a data breach. What happens next depends a lot on the type of “back story” you are able to provide; i.e. your ability to explain to the regulator what happened – along with evidence that you are not falling short when it comes to appropriate protective measures.


The ICO will be especially concerned with the following:

  • Did you report the incident on time?
  • Can you explain what happened, how it happened and what you did to fix it?
  • Did you have an incident response plan in place (there is a template response plan in The Privacy Compliance Hub)?
  • For the data processing operation in question – did you perform a privacy impact assessment (again, available in The Privacy Compliance Hub)?
  • Do your data security measures – e.g. firewalls, penetration testing and authentication – measure up with the “state of the art”?


Covering all of this becomes so much easier with a single source for information, training, alerts and reporting procedures. This applies both to preventing security breaches in the first place – and for responding in the right way if and when an actual breach occurs.


Fortunately, that is just what we deliver in The Privacy Compliance Hub. To discover more about how our compliance tool can be implemented to protect your organisation and educate your employees with ease, check out our ‘How it works’ page or speak to us today – we’d love to hear from you!

Dealing with Data Subject Access Requests: understanding best practice

The right of individuals to access their personal data is one of the most important principles of data protection law. Already, European citizens have the right to know whether or not organisations hold data on them and what that data is for. There is also a broad requirement on controllers to supply copies of that data when requested.

The General Data Protection Regulation (GDPR) takes things further. For individuals, the new law strengthens existing access rights and aims to make it easier for people to exercise them. For you, it demands a fresh look at your ability to respond to requests. Would your people recognise a “data access request” when it arrives? Can you respond to it with the minimum of disruption, whilst staying on the right side of the law?

As we’ll show you, with a good grasp of the law, suitable procedures and equipped with the right toolkit, you should have everything you need to take data subject access in your stride.

Subject access: what information must your organisation provide to individuals?

As a starting point, individuals are entitled to confirmation of whether you are processing their data. Bear in mind that “processing” is a wide term (further info is available for you in our GDPR definitions guide).

If you are processing their data, those individuals are entitled to the following information from you:

  • The reason why you need the data (i.e. the purpose of the processing)
  • The categories of data – e.g. customer account or HR records
  • How long the data will be stored
  • Details of third parties to whom the data will be disclosed (e.g. storage service providers)
  • Important data rights information. You must confirm that data subjects are entitled to ask you for “data rectification” if the information you hold is inaccurate. You must also make it clear that they are entitled to withdraw consent to the processing if they so wish, and that they have the right to make a complaint to the data regulator if they believe data is being processed unlawfully.
  • Confirmation as to whether data is being used for “automated decision making” (e.g. using software for personalised price setting).

Data subjects can also ask for a copy of the data you hold on them. Under the old rules, you could generally charge an admin fee for supplying information and copy data. Now, the GDPR stipulates that a copy of the data must be provided for free – although it is possible to levy a charge where multiple requests are made for the same data. You must respond to the request within a month, although this can be extended if it’s a complicated request involving lots of data.

For individuals, gaining access to their data can often be the first step; it allows them to see what data is held on them – and how it’s used. The next step might be to exercise other important rights which the GDPR gives individuals:

  • The right to be informed
  • The right to rectification (data correction)
  • The right to erasure
  • The right to object to processing and to request that it is restricted
  • The right not to be evaluated solely based on automated decision making and the right in relation to profiling.

For a thorough understanding of these rights, check out our information hub.

How to handle SARs

If you are unwilling or unable to respond to SARs on time or at all, it opens up the possibility of complaints against you to the regulator. This can lead to an investigation of your data management procedures by the ICO – and possibly even a fine (you can learn more about GDPR penalties on our blog, here).

Accurate, up-to-date information about your customers is essential for delivering a great service. Achieving this can often be so much easier if those customers are able to view, check and tell you about anything that needs changing, or even amend key data themselves. So quite apart from the threat of sanctions, making data access easy can make great business sense.

For better data access, pay special attention to the following:

Consider a self service approach to data access

Ideally, exercising data rights shouldn’t be a complicated process. This is why GDPR encourages firms to have a suitable mechanism in place, possibly with a self-service element, to make SARs easier.

To take the example of an online business, this might consist of a secure portal where customers can view a data summary, and can then download or print out copies of their data.

Proformas and electronic access

Where a request is made electronically, GDPR stipulates that it should be responded to electronically, too. A self-service data portal won’t be practical for all businesses, but you might want to consider drafting templates for responding to requests. This would include separate fields for the category type, anticipated date of deletion and the other points detailed above.

For hard paper records as well as your IT systems, a reorganisation of your customer and HR files might also be a good idea. This should let you identify and get your hands on all the data relating to an individual if he or she submits a request, quickly and easily.

Bringing it all together with The Privacy Compliance Hub

The right to access is often a gateway to other GDPR rights. Having obtained a birds-eye view of their data, individuals might ask you to make changes, to stop or alter the data processing – or perhaps even send it to someone else. These are all vital elements of GDPR compliance.

The Privacy Compliance Hub helps you bring all of them together. It’s a one-stop portal of the tools, templates, reports and processes your business needs to ensure that you can handle all data-related queries with ease – including, SARs no matter how complex. Ready to find out how it works? Ask for a free demo – or speak to us today.

The simple changes required to privacy notices under the GDPR

What are ‘privacy notices’?

Let’s go back to basics – what is a privacy notice and what is it for? A privacy notice is an explanation of how an organisation handles personal information and what rights an individual has in relation to that information. The idea is that each individual should know what an organisation does with his or her personal information. If that individual doesn’t like what it reads in an organisation’s privacy notice, then he or she can choose not to share their personal information with that organisation.

What is the purpose of privacy notices?

Almost every website has a link to a privacy policy. More often than not it is tucked away in the footer of a web page. It’s probably fair to say that very few people actually read them. However, even under the existing law, data protection regulators and consumer protection bodies are very concerned about what is in such policies, where they are found and how they are brought to the attention of individuals.

Under the General Data Protection Regulation (GDPR) due to come into force on 25th May 2018, that scrutiny is going to increase as are the number of things that have to be included in such policies (or privacy notices as they are also known).

The GDPR strengthens the rights of individuals. One element of the regulation requires that privacy notices must include more information. The regulators were frustrated with the number of vague, long and often complicated privacy notices, half hidden on websites which did not inform individuals as they should. The GDPR aims to give individuals genuine choices in relation to how organisations process their personal information.

How has the GDPR changed organisations’ approach to privacy notices?

Due to the GDPR, organisations are now a lot more careful about what they put in privacy notices and where and when they display them. Individuals are also a lot more savvy about their rights and, in our experience, are much more likely to challenge organisations in relation to their policies and the manner in which they process personal information. As data protection specialists, we have extensive experience in overcoming these challenges. Read more about us here.

Organisations are taking steps to ensure that privacy notices are true, concise, transparent, intelligible and easily accessible. In other words, they are not writing them in complex legal language and are making them easy to find. They are using what are called ‘just in time notices’ which point out to an individual what they are going to do with that individual’s personal information at the time that individual provides it.

What should be included in a privacy notice?

The following should be included:

  • Name and contact details of the controller and their representative (eg. the data protection officer).
  • The purpose of the processing and the legal basis for it (eg. we need your address to deliver goods to you in line with the contract between us).
  • Any legitimate interests for processing (eg. we use Royal Mail to deliver your goods and it is in our legitimate interest to pass your address details to them for that purpose).
  • The categories of personal information processed (eg. name, address and credit card details).
  • Any organisations the personal information is shared with (eg. sharing of IP address with Google Analytics).
  • Details of transfers of personal information outside the EEA (eg. storage with a cloud hosting provider based in the USA which is Privacy Shield certified).
  • How long the personal information is kept for (eg. for 12 months after an individual ceases using the services).
  • Information on all an individual’s rights (eg. their right to erasure of their personal information).
  • Information on an individual’s right to withdraw consent to processing.
  • Information on an individual’s right to complain to the regulator.
  • Where the individual’s personal information came from (eg from a third party cookie).
  • Whether the individual has to provide the personal information as a matter of law (eg. a national insurance number so they can get paid).
  • Details on any automatic decision making carried out using the personal information (eg. use of bank transaction data to determine a loan application).

Making sure your organisation’s privacy notice is compliant

Carry out an inventory of what personal information your organisation processes. You need to know what you have got, what you do with it, who you share it with, how long you keep it and what you do with it when you no longer need it. Only once you have carried out this review will you be able to move onto the next step of reviewing your privacy policies. These policies need to reflect the information you have gathered in your inventory process and follow the new requirements of the GDPR.

One of our clients is an educational app platform. Its users are children and their teachers. As children need to understand their privacy policy, they decided that children should write their privacy policy. That way, instead of writing a complicated policy and having to make it simple, they started with a simple policy and worked it up to include everything that the GDPR requires (as well as probably correcting a few spelling mistakes!).

How The Privacy Compliance Hub can help

The Privacy Compliance Hub includes over 30 template documents (including privacy notices and audit questionnaires) to assist a company in complying with data protection law, including the GDPR. It provides these templates as part of a comprehensive compliance product which enables an organisation to build, maintain and demonstrate its data protection compliance.

If you would like to discover more, watch the video available on our website, or get in touch using the contact section below. We’d love to hear from you!

Protecting your organisation from GDPR fines and penalties

The General Data Protection Regulation (GDPR) features updated penalties for non compliance with data privacy law, including the possibility of higher fines for the most serious breaches. But while it’s true that the data regulator now has sharper teeth, it also seems that the whole issue of GDPR penalties has prompted more than a little scaremongering.

So, if you find yourself in breach of the GDPR, what type of penalty can you expect? Most importantly of all, what should you do to avoid falling foul of the regulator in the first place? This guide is designed to provide you with a reassuring dose of clarity.

What are the penalties for a GDPR breach?

Financial penalties

Under the old Data Protection Act (DPA), the maximum fine that could be handed out by the Information Commissioner’s Office (ICO) for non-compliance was £500,000.

The GDPR introduces two tiers of fines that can be levied, depending on the specific part of the regulation that has been breached:

  • Up to €20 million, or 4% of the organisation’s annual global turnover – whichever is higher.
  • Up to €10 million, or 2% of annual global turnover – whichever is higher.

Broadly, if a breach of the regulation involves an infringement of an individual’s privacy rights, then the top tier applies. This includes situations where a person’s data has been processed without any lawful basis (where they haven’t given proper consent, for instance).

The lower tier applies largely to breaches of a more procedural or technical nature. Examples include failures to report, or late reporting of security breaches, a lack of record keeping or failure to cooperate with the ICO.

Non-financial penalties and regulatory intervention

The ICO’s main job is to encourage and ensure that organisations meet their data protection obligations and very often penalties other than fines are better suited for achieving this. Other than fines, the powers available to the regulator come in three main flavours:

  • Intervention. This includes ‘stop now’ orders, requiring you to cease a certain course of activity until you’ve fixed a breach. Alongside this, the ICO can issue undertakings; i.e. a formal order compelling you to do something to address non compliance (e.g. specific improvements to your IT security framework).
  • Audit. Sometimes it’s consensual, in other situations you have no choice on the matter. Either way, the ICO can come in and carry out a thorough assessment of your organisation’s set-up and procedures to check that you’re following good practice.
  • Prosecution. Some breaches of data privacy law constitute a criminal offence. Neglecting to register as a data controller is a good example. It can lead to a criminal conviction for a company (or its directors) as well as a fine.
    These measures can be taken in conjunction with each other (e.g. a ‘stop now’ order hot on the heels of an audit). They can also be taken instead of, or alongside a fine.

Will I be fined for non-compliance? Some myths busted.

The threat of €20 million fines makes for good headlines, but it also helps to fuel the myth that dodging a financial penalty is the number one reason for taking data protection compliance seriously. Time to address a couple of the myths surrounding the repercussions of GDPR non-compliance…

Myth 1: If you breach the GDPR, you face an automatic fine.

In 2016/17, the ICO looked at 17,300 cases. Of those, just 16 resulted in fines. Financial penalties are far from the ‘go-to’ tools of the regulator and the Information Commissioner has made it clear that she’s not going to change her policy on this.

If a fine is to be imposed, the GDPR states that it must be “effective, proportionate and dissuasive”. So, if for instance a GDPR breach is a one-off transgression by a company ready and willing to learn from its mistakes, a fine is probably unlikely. The same can’t be said for a company that knowingly and repeatedly breaks the rules and puts individuals’ personal data at risk.

Myth 2: fines are the only penalties you should be concerned about.

Whether it’s the taxman, your professional ombudsman or the ICO, no-one relishes the thought of an audit. Chances are that if you’re facing regulatory intervention, it’s not necessarily going to be in the shape of a fine. But a ‘stop now’ order could easily cripple the operations of a business – and an audit means devoting time and resources that could be better used elsewhere.

There is also a strong risk that any penalty or investigation is likely to become public knowledge. The publicity from any breach is likely to be exceedingly damaging to any business and ruthlessly exploited by the competitors of that business. The moral of this story? Regulatory intervention in all its forms is something to be avoided if possible!

Avoiding a sanction: the essentials…

To stay on the right side of the regulator, try these for starters…

  • Get familiar with the new law. From consent through to the organisational changes you may need to make right now, browse our resource centre for the full lowdown on all key aspects of the GDPR.
  • Get the tools you need to demonstrate compliance. To avoid intervention of the regulator, you need to be able to demonstrate compliance. Whether you’re launching a new app or onboarding new staff, this demands careful attention both to the relevant aspects of the law and to your own records and procedures. Fortunately, The Privacy Compliance Hub provides precisely what you need to stay on top of this, enabling you to prove compliance to the ICO and other European regulators.

Want to know more about making compliance easier? Explore the rest of our resources here. If you’d like to know more about how The Privacy Compliance Hub could work in your organisation get in touch!

Does the right to be forgotten apply to my organisation?

The General Data Protection Regulation (GDPR) is designed to give individuals better control over their personal data. As part of this, and in certain situations, the new law empowers data subjects to ask for their data to be erased, otherwise known as the “right to be forgotten”.

Your organisation needs to get to grips with how and when the new rules on erasure apply. You also need to make sure that you’re equipped to respond to valid data erasure requests as and when you get them.

So does your business have what it takes to deal with the so-called “right to be forgotten”? The Hub is on hand to help you get it right…

What is the right to be forgotten?

It states that if certain specified conditions are met, individuals have the right to request that their “personal data” that you control – be deleted.

If you’ve received a valid data erasure request, you must respond to it “without due delay”, and within no later than a month of the request. This period can be extended in limited circumstances – e.g. where it’s a complicated request involving large quantities of data.

Here are the situations where the right to be forgotten applies:

  • Where possession of the data is no longer needed. You must only collect data in relation to clearly defined purposes. If it’s no longer required for the specified purpose, the data subject can request erasure.
  • Where the data subject withdraws their consent, or objects to the data processing and where there is no good reason to continue with the processing. This could include situations where customers cancel their contracts with you.
  • Where the data shouldn’t have been processed in the first place. For instance, it turns out that you’re holding a customer’s data without their consent or any other legal basis.
  • To comply with a legal obligation.
  • The data relates to the offer of “information society services” to a child. An example of this could be where a child opens an account for a streaming service without parental consent.

Are there any exceptions?

The right to erasure isn’t absolute or unlimited. The exceptions to it include the following:

  • For the controller to exercise its “right of freedom of expression and information”. This exception is likely to be of particular relevance to media outlets.
  • Public interest purposes. There might, for instance, be a legitimate reason for archiving certain types of data (health information, for instance) for research purposes.
  • Defence to legal claims. One example is where a former employee requests the deletion of their HR records, but you have reason to believe they may be considering bringing a claim against you under employment law.

Will it affect my organisation?

It affects all types of data controllers, whatever their field of business. Imagine the prospective job applicant who uploads their CV on spec to your careers page. If they change their mind, they may exercise their right to erasure and ask that you delete all details you have on them.

You may also find that data subjects seek to exercise their right to be forgotten alongside other rights. Consider, for instance, the client who is thinking of jumping ship. They start off by asking you to confirm what data you hold on them (the right of “access”); they request that their details be transferred to another company (the right to “data portability”), and they follow up with a request for their records to be deleted (the right to “erasure”).

If you can’t or won’t comply with these requests, it exposes your organisation to the threat of sanctions, including fines, audits and regulatory intervention. So the right to be forgotten is everyone’s business.

How to prepare for the right to be forgotten

Pay particular attention to the following:

Make it easier to respond to requests

The GDPR encourages the use of “self-service” data hubs, whereby data subjects can access their own data conveniently and securely. If it’s practical, this might include a mechanism for customers to request data erasure. From your point of view, this approach could make it a lot easier to identify, manage and respond to such requests.

Build a company-wide culture of compliance

Would your customer services staff know a data erasure request if it hit their inbox? How about your social media team? Being compliant demands the ability to respond to such requests in a timely manner – so make sure that staff right through your organisation are aware of their compliance responsibilities.

Have the right tools in place

The Privacy Compliance Hub can provide precisely the framework you need for hardwiring compliance into your organisation, from identifying actionable data rights requests – through to responding to them in the right way.
For advice on all key areas of the GDPR, check out our resources section. For a closer look at how the Hub can help, ask for a free demo today.

How to identify which GDPR principles apply to your organisation

From customer services and marketing through to HR, organisations use “personal data” in many different ways.

Against this backdrop, the General Data Protection Regulation (GDPR) provides a framework for the privacy and protection of personal data. It’s impossible for European lawmakers to give us a blow-by-blow ‘how to’ guide covering each and every instance of data processing. So instead, much of the new regulation focuses on broad privacy principles.

Your mission? To become familiar with these principles and recognise when and how to implement them. Read on to find out what these core GDPR principles mean and how you should put them to work in real life…

What are the GDPR privacy principles?

There are seven in total – and here’s each of them in outline:

Data to be processed in a lawful, fair and transparent way

The GDPR seeks to give individuals better control over their personal data, including who processes it, how and why it’s used. The principle of lawful, fair and transparent processing supports this.

You need to be upfront and transparent with the people whose personal data you process, making it easier for them to exercise their rights rather than putting up obstacles. Examples of this might include re-wording your privacy notices using clearer, plain language – and perhaps setting up a portal to make it easier for customers to access their personal data via self-service.

Purpose limitation

This states that personal data is only to be collected for “specified, explicit and legitimate purposes”. And once you have an individual’s personal data, you must only use it in ways which are compatible with those purposes.

This means that “data fishing exercises” are unlawful under GDPR. As an example, you shouldn’t be asking for lots of unnecessary info from your customers solely on the basis that it might “come in handy” later on!

Data minimisation

The personal data an organisation processes should be adequate, relevant and restricted to what is necessary to achieve the purposes for which it is processed. In other words, if it isn’t needed, don’t collect it. And if it is no longer needed, get rid of it.


“Bad” data is bad news, both for you and for data subjects. Orders aren’t fulfilled, staff don’t get paid on time, credit scores are affected – to name just a few of the headaches it can cause.

The GDPR requires organisations to take “reasonable steps” to ensure that personal data is accurate and kept up to date. So let’s say both your customer base and your workforce are getting bigger. Here, “reasonable steps” might include replacing your maze of standalone Excel spreadsheets with CRM and HR systems. With these, it becomes so much easier to keep those records up to date.

Storage limitation

Don’t keep personal data for longer than you need it. As well as being a requirement under GDPR, this is good business sense. A time stop gap on data storage helps to prevent your data estate growing needlessly large.

Integrity and confidentiality

You must ensure “appropriate” steps are taken to protect personal data. This includes measures to prevent unlawful use, loss, theft and damage.

What’s appropriate depends on the nature of that personal data. For instance, credit card information and medical records will demand tougher protection than Web browsing data. You should also take into account the wider threat landscape. As an example, let’s say your sector is being targeted by a specific hacking risk. You should keep an eye on industry best practice to establish the most appropriate way to minimise that risk.


This overarching principle guides you on how you should approach all of the other GDPR principles. It is also a new principle, is very important and sets the GDPR apart from its predecessor.

It states that being compliant is only part of the story; it’s just as important to be able to show that you are following the rules and meeting your obligations. For this, having the right paperwork in place is crucial. From the network security tests you carry out, right through to customer consents, you need to be able not just to tell the ICO that you are sticking to the rules, but be able to prove it.

Data mapping: how it helps you apply the GDPR principles

A data map is a complete overview of all the personal data your organisation uses. Get it right, and your data map will give you the following info…

  • What personal data you control or process
  • What category it falls into (special rules apply to, for example, health data, criminal records and data relating to children)
  • What it is used for
  • The formats in which it is stored and accessed
  • Who has access to it
  • Locations – i.e. where it flows to and from. This might include Cloud storage services or third party processors.
  • Accountability. Who is responsible for the data? This can sometimes change as data flows from one part of the organisation to another in its lifecycle.

It’s only once you have mapped your data that you can apply the GDPR principles outlined above in a thorough and meaningful way. It’s vital for compliance. But beyond this, it can also give you a new perspective on your entire business. Data is an asset – and this is exactly the type of exercise that can show you if you’re putting it to work in the right way.

Data mapping pitfalls: how to overcome them with The Privacy Compliance Hub

From a technical perspective, data mapping demands a full inventory and assessment of all platforms, repositories and endpoints – from your filing cabinets through to cloud servers. At the same time, and for all areas of your business, you need to isolate each and every situation where personal data is being used.

So data mapping isn’t something that should be left for your all-purpose IT guy to get on with in isolation. It requires you to get into forensics mode; to get a thorough understanding of what’s going on in each of your organisation’s departments.

Approach this in an ad-hoc or haphazard way and important areas can easily be missed. The Privacy Compliance Hub is designed to ensure you avoid this pitfall. Providing you with a structure, complete methodology and step-by-step process for formulating a privacy plan, it helps you ensure that all areas are covered and enables you to demonstrate that you have all areas covered.

Hidden or overlooked personal data – or data that’s being used for unintended purposes can result in you sleepwalking toward non-compliance. With the right tools to collaborate with what we call ‘Privacy Champions’ from each department, you have everything you need to ensure all privacy principles are embedded in your organisation.

For further info on all aspects of GDPR, explore the rest of our Hub. Ready to get your data mapping project on the right track? Contact us today for a free demo.

Consent under the GDPR : Is your organisation up to speed?

Some say that lawyers start by making things complicated and then when people have just about worked out what is going on, the law changes again. Bear that in mind while you read the following definition of ‘consent’ under the General Data Protection Regulation (GDPR)…

To process personal data, an organisation must have a legal basis for such processing. One acceptable legal basis under the GDPR is ‘consent’. Consent existed under the Data Protection Act as a means by which an organisation could make it’s processing fair and legal, so in theory, it is nothing new. However, in practice under the GDPR, it is new. Consent is more difficult to obtain and organisations must make it easy for individuals to withdraw that consent.

Why is consent so important under the GDPR?

From 25 May 2018, some organisations may find that the way certain individuals have provided consent under the old law, will be considered unacceptable under the new law. This is why an understanding of the changes in the law is vital for compliance.

Also, individuals are more aware of their rights in relation to their personal data. Therefore, organisations who seek to rely on consent as a legal basis for processing must be sure that it is adequate consent in the eyes of the law. Otherwise, individuals will be able to bring legal actions (and possibly class actions) against organisations that have processed personal data without an adequate legal basis.

However, where there is a risk, there is an opportunity. Many companies are embracing the new rules around consent as a way to connect with their customers, build trust in their brand and to make the data they process more valuable. For example, a customer who is fully aware that they are consenting to an online retailer’s marketing emails and who has the ability to withdraw that consent at any time is a customer who is more likely to be interested and engaged in any marketing offers which are sent to them.

What consent means under the GDPR

Personal data can be processed legally if the individual has given consent to the processing for one or more specific purposes. In other words, you can’t just get consent to marketing, you need to get consent for marketing by email, fax and telephone.

That consent must be:

  • Freely given – an individual must not be forced into consenting. For example, if it is a condition of receiving a service that an individual consents to receiving marketing emails then the consent given to receive those marketing emails is inadequate.
  • Specific – the consent provided must not be vague. For example, consenting to “marketing” is vague and, therefore, inadequate. Consenting to “marketing by email” is specific and adequate, but does not allow marketing by in product push notification or telephone.
  • Informed – an individual must understand what they are consenting to, eg. “I understand how cookies work and I consent to you putting them on my device”.
  • Unambiguous – an individual should not be confused as to what they are consenting to. For example, a sentence next to a checkbox which says, “Uncheck this box if you do not want to receive marketing email” is confusing and if a company seeks to rely on such a method for obtaining consent it will be inadequate.
  • The indication of consent needs to be by a clear affirmative action – eg. by ticking a box saying, “I consent”, rather than not ticking a box saying, “I object”.

Best practice and practical guidance

Follow these practical tips and your organisation will be going some way to complying with its obligations in relation to consent under the GDPR:

  • Review your processes for obtaining consent (The Privacy Compliance Hub has a useful checklist which it makes available to its users).
  • Check your existing consents for GDPR compliance ensuring you have sufficient records of how you obtained consent.
  • Audit your databases and ensure that you can divide your databases between those individuals who have given different types of consent.
  • Alter consent mechanisms if necessary to provide separate opt-in tick boxes for each method of marketing communication you use (The Privacy Compliance Hub offers templates).
  • Review your existing procedures allowing users to withdraw consent. Ensure consent can be withdrawn easily, for example by an unsubscribe link or easy access to a privacy dashboard.
  • Set up a process to record consents if you don’t already have one and make sure it records all the information required.
  • Consider refreshing your consents if existing consents are inadequate.
  • Update your Privacy Policy to explain how any consents work (we offer a template within The Privacy Compliance Hub).

The issue of ‘consent’ is just one issue explained clearly and simply within The Privacy Compliance Hub. Our Hub provides all the information any organisation needs to enable it to comply with data protection law. It also provides over 30 clear templates drafted by experts who have worked within top organisations in implementing successful data protection compliance programmes.

For further info on all aspects of GDPR, explore the rest of our Hub. Ready to get your organisation’s consent up to speed? Get your free demo today.

Why a GDPR summary is not enough to fully understand what you need to do

The internet is full of checklists and summaries aiming to make GDPR compliance look easy. The reality is that you need to know more than these articles are providing and you more than likely need help. The GDPR is a significant piece of legislation that needs commitment from your organisation if you are going to achieve compliance. This is especially important if you have not really paid much attention to its predecessor, the Data Protection Act.

The GDPR challenge

Even the best intentioned are struggling to work out what to do and where to start. Organisations are worried about the past and do not know how to tackle the future. Any cursory search of the internet for help leads to an avalanche of content which only serves to make organisations more worried, leading to them putting off doing something about the challenge.

‘Solutions’ that do not work

There are many companies willing to offer audits that basically translate into: ‘we will charge you a fee for telling you what you haven’t done and then offer to fix your problems for an even larger fee’. You’ll also find companies offering you free checklists that instil worry about what organisations are missing from their compliance, with the end goal of charging heavily to fix it. And there are endless summaries. These summaries are fine for familiarisation, but no good for getting the work done and often leave you confused and worried about the lack of detail.

The problem with all these approaches is they do not take into account the uniqueness of each individual organisation. Every organisation is different. Therefore, a simple summary or checklist is not enough for compliance. Any outside data protection compliance exercise is going to have to get to the bottom of what personal data your organisation has and what you do with it. The only person who knows the answers to those questions is you!

Let’s take an example. The GDPR requires organisations to keep personal data no longer than is necessary. A recruitment consultancy will need to keep a candidate’s CV for a certain period of time. However, a company which only recruits an average of three people a year will need to keep a CV for a different period of time. What is right for your organisation? The Privacy Compliance Hub helps you make such decisions.

What you need and what you don’t

To make the right decisions, you need to ensure that you have the right advice. That means that you need a compliance solution that has been devised by data protection experts from the ground up. You also need a solution that deals with all of the problem, not part of it. There are too many solutions out there which only offer part of the solution. For example, data storage companies that offer to keep data secure, but put a GDPR badge on their offering to make you think that what you are getting is a GDPR compliance solution. Or companies which offer an ISO 27001 solution which view the GDPR as an opportunity and try and repurpose that solution as a GDPR compliance solution.

What you need is a flexible solution that covers every aspect of the GDPR from beginning to end. It needs to be provided by experts in the field who understand the difficulties organisations are having in understanding the avalanche of content out there. The solution needs to be simple and easy to use, enabling your organisation in your industry to create a compliance programme that works for you. It needs to do this securely in a way that you can understand. That is what The Privacy Compliance Hub has been developed for.

How The Privacy Compliance Hub works

The Privacy Compliance Hub enables the leaders of your organisation to achieve data protection compliance. You achieve this by agreeing to comply with a set of what we call ‘Privacy Promises’. By meeting these promises, your organisation complies with its data protection obligations, including the GDPR.

Using a team of ‘Privacy Champions’ appointed from within your organisation, a compliance programme is followed using a Methodology which is supplied within the Hub. The Methodology takes the Privacy Champions through what they need to do in a structured, step by step fashion. A Privacy Plan supplied within the Hub acts as a project management tool to keep track of progress. And, finally, a Privacy Calendar is made available to record each step of your organisation’s compliance journey.

As the Privacy Champions carry out their activities in the Methodology and the Privacy Plan, they can make use of over 30 template documents provided within the Hub.

The Hub is carefully designed to:

  • work for any organisation in any industry;
  • carefully guide users of the Hub through a structured, easy to understand data protection compliance programme;
  • provide practical and easy to use tools to implement that programme; and
  • achieve a fundamental change in the mindset of everyone in an organisation by making data protection compliance matter, always.

It is comprehensive, leaving nothing to chance, but does so in a simple, methodical and structured way. Each and every organisation that uses the Hub is able to put together a bespoke programme that is completely their own.

By using the Hub you are embedding data protection compliance within your organisation (as the GDPR requires) and creating a secure online area from which you can demonstrate compliance to both your customers and regulators.
If you would like to talk about how The Privacy Compliance Hub would work for you, please get in touch. Alternatively, have a look at our video which provides you with a more visual explanation of how it works.

Data controller or data processor? Understanding your responsibilities and risks

Organisations handle personal data in different ways. Some organisations referred to as “data controllers” call the shots, as they decide what the data is for and how it’s used. Others essentially do what they are told; they process the data on behalf of the data controller, and these are known as “data processors”.

So are you a data controller or a data processor? It’s important to understand this distinction as it defines your responsibilities under EU data protection law. Previously, data processors could avoid direct liability under the law. But by placing new obligations on data processors, the GDPR changes things.

Here, we’ll explain these changes, help you correctly identify whether you fall into the processor or controller camp and outline the obligations that apply to your organisation.

What is “personal data”?

If your organisation “processes personal data”, then the GDPR applies to you. So first off, it’s important to be clear on the meaning of “personal data”, and what it actually means to “process” it.

Personal data is essentially any information that could identify a European citizen. It includes basic ID information such as names, addresses, telephone numbers, driving licence numbers, credit card details, and Web identifiers. It also includes sensitive (or special category) personal data such as genetic and biometric information.

Whether or not the information you hold could identify someone depends on context. So let’s say you don’t know someone’s real name. But you do know their username on your website – or you have information on their preferences and location through cookie data. This can constitute “personal data”.

It’s not just businesses who sell to consumers who have to pay attention to the GDPR. Much of the info you hold on your employees will be covered. And let’s say you have a list of work email addresses for business buyers, that’s “personal data” too.

Do you “process” it?

“Data processing” is a very broad term. Basically, it means anything that is done to or with personal data. You might collect it either manually or automatically, analyse it, use it for marketing or research purposes, or simply store it on behalf of someone else. In all of these situations, you are “processing” that data.

Are you a data controller?

The data controller is the person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.

So let’s say you run an ecommerce business. You’re going to collect the ID, contact and payment details of customers. The primary purpose of this is pretty obvious; to execute orders! You might have secondary purposes in mind, too; making future sales predictions and telling existing customers about new offers, for instance. In this example, the “means of processing” might be via a Cloud-based CRM system.

Are you a data processor?

We’ve already seen that “data processing” is a very wide term. But a “ processor” has a very distinct meaning under the GDPR. This refers to a person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.

Back to the example of the ecommerce business. It offers an extended warranty period on its goods. In order to keep track of any claims that might arise from this, it has decided to keep all customer purchase records for a period of three years. It hires a company to store this data on its behalf via an online archive system. This company is a “data processor” on behalf of the ecommerce business.

Can you be a data processor and a data controller?

In certain circumstances, yes. Here’s an example…

You carry out data analytics work on behalf of charities. You’ve been tasked with analysing a particular dataset containing personal information and producing a future needs prediction report. You are a “data processor” for that client.

Meanwhile, for your own research purposes, you want to analyse the information from datasets from lots of clients to produce a meta-report (assuming you get consent from the data subjects!). You’re processing the same data as before, but this time, you’re using it for a purpose that you have control over. In other words, for this, you’re a “data controller”.

What are the obligations of a data controller?

It’s true that the GDPR puts new compliance obligations on processors (more on these shortly). That said, it’s still the case that primary responsibility for compliance rests with the controller. In other words, it’s your job to make sure individuals’ rights are upheld.

From the “right to be forgotten” to IT security, there’s a lot to cover here. Good news, though; The Privacy Compliance Hub gives the full lowdown on all areas of compliance data controllers need to get to grips with. Clients can dip into it whenever anything compliance-related crops up.

A few controller obligations deserve special mention here:

  • Get registered (if you’re not already). Organisations that decide how personal data is processed must register with the regulator (in the UK, it’s the ICO). There’s a handy registration self-assessment tool for this.
  • Get on top of your documentation. In areas such as defining what data you need to collect, data sharing and security breach management, the GDPR places obligations on you to maintain full records. The Privacy Compliance Hub can offer precisely the methodology you need to keep on top of this.
  • Choose your processors wisely. If you outsource data processing tasks, you must look closely at potential partners’ privacy and security procedures. Only select data processors that provide proof that they will be able to perform their duties in compliance with the GDPR.

What are the obligations of a data processor?

The GDPR places new, direct statutory obligations on data processors. These include the following:

  • Restrictions of subcontracting. As a processor, do you contract out certain activities (storage or formatting, for instance)? If so, the GDPR states that you need specific permission from the controller for this and you will need a contract with this subprocessor containing special provisions.
  • Security and reporting. If you suffer a security breach, you must notify the controller “without undue delay”.
  • Documentation. As with controllers, you are obliged to keep good records to demonstrate compliance. This includes a record of all categories of processing activities. Need to get to grips with this? The Privacy Compliance Hub can help.

Managing risks

Under the old law, the biggest risk faced by processors who failed to live up to reasonable standards was essentially a claim for breach of contract by the controller.

For processors especially, the GDPR marks a big shift. For the first time, processors face direct regulatory intervention – including reprimands and possible fines – in the event of a compliance breach. By identifying the procedures and tools you need to get compliance right, you should have everything you need to stay on top of your obligations.

For more information on data protection compliance, explore the rest of our hub here. If you’d like more information on how The Privacy Compliance Hub can bring your organisation up to speed quickly and securely, don’t hesitate to get in touch!