Accessibility links

Data Security – Data Protection Regulation - Ensuring Compliance

The General Data Protection Regulation (GDPR) requires organisations to protect the personal data of individuals.

  1. Factsheets
  2. ICT

The General Data Protection Regulation (EU 2016/679) came into force on 25 May 2018 adding new elements and significant enhancements to the existing data protection regime.

Roles and Responsibilities

In the run up to GDPR you will have considered if you needed to formally appoint a DPO – a necessity if:

  • You are a public authority or body; or
  • Your core activities require large scale, regular and systematic monitoring of individuals; or
  • Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Many organisations chose to ensure that an individual or department has responsibility for privacy activities without the need for a formal DPO appointment. Ensuring that the roles and responsibilities for data protection are well known and documented in your organisation is a key compliance requirement.

ROPA - Record of Processing Activities

Documentation of the processing activities carried out by the organisation is a requirement of Article 30 of the GDPR (both UK and EU) if your organisation has over 250 employees. It is also a requirement for smaller companies if the data you process:

  • are not occasional
  • are likely to impact the rights and freedoms of individuals; and
  • involve special category data or criminal conviction and offence data.

Your ROPA should contain a data map of your systems that contain personal data along with information on the lawful basis of processing, the purposes and methods of processing data, data sharing and data retention policies and procedures.

It is important to ensure that there are regular reviews of this documentation as updates are likely over time.

There is further guidance from the ICO on ROPA best practice.

Policies and procedures

Your policies and procedures should clearly outline roles and responsibilities in your organisation covering a number of privacy related areas:

  • Data Protection and records management
  • Information security including breaches and incident management
  • The provision of information following individual rights requests – such as subject access requests and information notices
  • Data Protection by design and default to ensure issues are considered and documented (Privacy impact assessments) when new systems, services, products and processes are implemented, or existing ones amended
  • The privacy policy on your website should be reviewed regularly and the date of last update clearly displayed

Supplier Management

It is essential that contracts are in place with organisations that process data on your behalf. Contracts should set out the details of processing including:

  • The subject matter of the processing
  • Duration of the processing
  • Nature and purpose of the processing
  • Type of personal data and categories of data subjects
  • If any sub-processors are used.

A framework of due diligence checks to ensure that these organisations are operating the appropriate technical and organisational requirements to meet GDPR is needed.

Regularly reviewing the contracts and data sharing agreements you have in place with other organisations is recommended.

Training

Making sure your staff are aware of their responsibilities with regard to processing personal data is key. Induction and refresher training should include information on data protection, potential security threats and your organisation’s information governance policies and structures. Monitoring and documenting training completion is an important element in being able to demonstrate your compliance.

Other laws and regulations

There are various other Acts and regulations in the UK which have a bearing on data security. These include:

  • Privacy and Electronic Communications Regulations (PECR) 2003 - which cover ‘spam’ and mass-marketing mailshots. Regulations under the PECR are also issued from time to time. For example, regulations on the use of cookies on websites, and in 2016 to require anyone making a marketing call to display their number
  • Copyright Design and Patents Act - amended in 2002 to cover software theft
  • There may be other IT standards and regulations applicable: for example, companies processing credit card transactions need to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Sources and links

ICO home page for organisations

EU GDPR portal - http://www.eugdpr.org/

Latest News

Minimum wage rose on 1 April

07 Apr 2025

Increases to the National Living Wage and National Minimum Wage took effect from 1 April.

Find out more

No further tax increases in Spring Statement

07 Apr 2025

Chancellor Rachel Reeves announced 'no further tax increases' in the 2025 Spring Statement.

Find out more

Finance Act 2025 receives Royal Assent

07 Apr 2025

The first Finance Act of the Labour government has gained Royal Assent and passed into law.

Find out more

Testimonials

simon-dixon.jpg

After working with Nicholas Charles for a year, we brought him on to join our board advisory team for BankToTheFuture.com because of his unique combination of financial tax advice, commercial understanding and ability to introduce the right connections at the right time. Nicholas has provided tax advice to our investors, facilitated introductions to investors as well as help us to implement controls and procedures to get the right balance of compliance, responsible procedures and good business practices. If you want somebody that understands the commercials of business and deal making combined with the technical skills of finance, tax and increasing shareholder value, Nicholas Charles is your man.

Simon Dixon | CEO & Co-Founder BankToTheFuture.com
paul-strank.jpg

Nicholas has been an active supporter of our charity, and the Charles Group have sponsored our last three summer parties. He understands family businesses like ours but more importantly the need to give back to the local community and the life changing differences that can be brought about by charities. This is why we quickly became a client of the Charles Group. Nicholas appreciates that having a purpose greater than the individual needs of members can bring a family closer together as well as inspire the next generation. We admire Nicholas’ authentic approach towards Family Prosperity.

Paul Strank MBE and Irene Strank MBE | Founders of Paul Strank Roofing and the Paul Strank Charitable Trust
penny-power.jpg

I have worked with the Charles Group for 2 years on some very exciting projects and his ability to listen, provide objective advice and support my goals and ambitions has been a tremendous asset to me and my businesses. Nicholas cares deeply about those he works with and seeks to ensure great outcomes for all.

Penny Power OBE | Serial Entrepreneur
ehsen-shah.jpg

The Charles Group has been our trusted accountants since we founded B-Engaged in 2013. Over the years, they’ve become an integral part of our journey, consistently going above and beyond to help us save money, optimize our structures, and minimize tax liabilities. They are more than accountants—they are key partners in our success.

Ehsen Shah | Founder and CEO of B-Engaged: Sports Marketing Activations Agency
Gabby-Chrysanthou.jpg

From our early days as a startup to becoming one of the largest suppliers to Assos and River Island, The Charles Group has been a constant and invaluable partner. They’ve played a vital role in reducing our overheads, analysing and advising on client profitability, setting up our internal bookkeeping systems, and providing invaluable business guidance. Their expertise has also helped us manage and reduce our growing tax liabilities. The team at The Charles Group has truly become part of our business family.

Gabby Chrysanthou | Director and co-founder of Loaded London