Logo

GDPR Compliance Services

Home / GDPR Compliance Services

GDPR compliance is a legal requirement

The European Union General Data Protection Regulation (EU GDPR) came into force in the United Kingdom in May 2018.  This legislation replaced the old Data Protection Act 1998 with a new version e.g. the Data Protection Act 2018.

Following the UK’s exit from the European Union, the legislation effectively remained in place under the name of the UK General Data Protection Regulation.

Therefore, GDPR remains in force for all organisations that process personal identifiable information (PII) about individuals (e.g. a living person).  Typically, for most organisations this means the data of their employees, customers, suppliers and prospects etc.

We provide a services that ensures your organisation is compliant with the legislation.  We can fast track your compliance using our GDPR toolkit.

Get a Quote
  • Certified DPO
  • Experienced in IT
  • Meet Legal Requirement
  • Reduce Compliance Risk
  • Broad Business Knowledge
  • Hundreds of GDPR Projects
  • Cost-Effective & Fast Service
  • Low Cost Compliance
  • Strong Commercial Benefits

Note – we can provide discounts for charities, contact us for more information.

Schedule a Call
GDPR Compliance

Benefits of GDPR compliance

There are numerous benefits of being compliant.

The most obvious one is that it’s a legal requirement and you must comply or face significant fines.

What are the penalties for non-compliance?

The penalties in the UK are typically based upon the significance of the breach of GDPR and the organisations annual turnover.

The maximum fine is £17.5 million or 4% of the global turnover of the organisation or whichever is higher.

Details of the latest enforcement action can be found here.

What is required to be compliant with the GDPR?

Record of the Processing (ROPA)

Organisations that are classified as a Data Controllers or Processors of personal data are required to have an up to date ROPA (Article 30).

Principles of Data Protection

All of the key principles of data protection must be adhered to within (Article 5) e.g.

  • Purpose of the processing must be as intended
  • Excessive processing must not be undertaken
  • The processing must have a defined and supported legal basis
  • The retention of personal data must not be excessive and should be proportionate
  • The processing must be undertaken in such a way that the data is kept safe at all times
  • There must be accountability within the organisation for data protection

All of the processing of personal data must have a documented legal basis aligning to one or more of the following (Article 6):

  • Contract Necessity
  • Consent
  • Legal Obligation
  • Vital Interest
  • Legitimate Interest
Rights of Data Subjects

The rights of individuals (Data Subjects) must be complied with (Articles 12-23). These rights include:

  • Right of Erasure (right to be forgotten)
  • Right of Access
  • Right to be Informed
  • Right of Portability
  • Right of Rectification
Management of Incidents

Data Controllers are required to have a documented Incident Management Plan (Article 33).

The plan must have a compliant methodology for managing incidents.  Incident reporting requirements must be followed e.g. the Information Regulator must be informed within 72 hours of becoming aware of a reportable incident.

Information and Cyber Security

All data processing must be kept safe to avoid any issues with the confidentiality, integrity and availability of personal data.

The legislation requires that the organisation does everything in its power to keep the data safe (Articles 5 and 32).  

Basically, this means doing whatever is technically and financially feasible for the organisation to do.  However, there are a number of mandated requirements under this area of the legislation.

Data Protection Governance

Data Controllers are required to check if they are legally bound to appoint a Data Protection Officer – DPO (Articles 37-39).

If so, they must appoint a DPO that is:

  • Qualified
  • Experienced
  • Has no conflict of interest
  • Is able to operate at the highest level in the organisation
Website Compliance

An organisations website must be compliant. (Articles 5, 6 and 32).

This requires it to be:

  • Secure
  • Have a legal basis for the processing
  • Transparent in relation to the processing
Special Categories of Data

Where an organisation processes special categories of data they must conform to additional requirements (Article 9).

Special categories include:

  • Health data
  • Ethnicity data
  • Data on political affiliations
  • Data on sexual preferences

Additional requirements include having the right legal basis and completing risk assessments.

Artificial Intelligence (AI)

There are various requirements in relation to the use of AI.

E.g.

GDPR classifies any image or video containing identifiable individuals such as employee head-shots or event photos as personal data.

Article 7 mandates that organisations obtain explicit, documented consent before collecting, using, or sharing such assets.

Risk assessments are required to ensure that your AI adoption does not contravene the GDPR.

Third Party Due-Diligence

All Data Controllers must document who their third-parties are who process personal data as a Data Processor (Articles 24-43).

Additional requirements around due-diligence and risk assessments are required to ensure that they do not present a risk to the processing.

Data Transfers and Residency

The legislation requires that organisations identify where personal data resides and if transfers are made between the UK and EU.

Where this occurs, transfer risk assessments need to be undertaken to assess the risk and any additional measures that need to be undertaken e.g. Standard Contractual Clauses.

Articles 45-47 are quite onerous to comply with and the law is likely to change in this area at some point.

Data Privacy Impact Assessments

Article 35 requires that organisations identify where there are requirements for formal risk assessments relating to the processing of personal data.

These include the processing of Special Categories of data and processing that is considered high risk, such as the processing of a significant number of records.

UK and EU Representation

Article 27 requires that organisations appoint UK and EU data protection representatives where there is a requirement to do so.

Those representatives must be based in the UK or EU and hold a record of the processing on behalf of the Data Controller.

Privacy by Design

Article 25 requires that organisations develop and manage a suitable plan for the ongoing management of data protection compliance.

The plan should demonstrate actions to improve the overall compliance of the organisation, especially where compliance issues have been identified in audits and monitoring activities.

GDPR Compliance

Other Services

DPO as a Service
GDPR Compliance
AI Consultancy
DSAR Management
Free GDPR Audit
ISO 27701 Certification
UK & EU Representation

Ask about our free GDPR audit

Free GDPR Audit
Our Clients

We're working with

sme
startups
business consultants
care homes
charities
healthcare
msp
saas
school
Get a Quote

How do you demonstrate compliance?

Know Your Processing

All organisations need to have reviewed and recorded what personal data they process as a Data Controller and as a Data Processor.

Adhere To The Principles

Adherence to the basic principles of data protection is the foundation of GDPR compliance. The basic principles are mandated for compliance.

Implement Privacy By Design

Data privacy has to be at the heart of what the organisation does in relation to the processing of personal data. Privacy must be planned and managed.

Monitor and Manage Compliance

There is no point in implementing GDPR and then leaving it to look after itself. Compliance with the legislation needs to be monitored and managed properly.

Current Incentives

We are offering discounts of 10% for small compliance projects  of 15% for larger compliance projects

What is our approach to GDPR compliance?

Step 1 - GDPR Audit

A typical GDPR compliance project starts with a detailed audit of your current status and how you comply with the various legislative requirements.

This involves a review of all of the specific articles and an assessment of the gaps in compliance.  This will enable us to develop a suitable plan for the compliance delivery.

Read More

Step 2 - Complete the ROPA

The record of the processing (ROPA) is fundamentally the building block of compliance.  Without the ROPA it is impossible to assess the detail of the processing of personal data and ultimately the compliance associated with it.

For example, the ROPA includes details such as the process name, what data is processed, what categories are processed, where is the processing done and under what legal basis it is processed.

Step 3 - Risk Review

Once the ROPA is complete, a full risk assessment of the identified processing is required to ensure that the compliance gaps are identified and a plan for addressing them can be developed.

The risks are evaluated based upon processing and the importance to the business.  Risk factors are based around the adherence to the core principles of data protection under Article 5.

Step 4 - Compliance Framework

Once the risks have been identified, our team determines the required mitigation’s.

Risks are mitigated by developing a robust compliance framework that is used to demonstrate compliance.

Typically this will include a set of appropriate policies and procedures, privacy plans, controls and additional artefacts such as training etc.

Step 5 - Privacy by Design

The final step is to ensure that privacy by design is now embedded into the culture of the organisation.  This means that privacy is now at the heart of business processes that involve personal data.

The last part of the GDPR compliance process is to re-assess compliance with all of the key areas of the legislation to ensure that the objective of full compliance has been achieved.

Our Certifications

Certifications

Schedule a Call

Contact Us

GDPR Compliance Contact Us
First
Last
Data Protection

Data Privacy Services

Operating Hours – Monday to Friday (09:00 hrs to 17:00 hrs – UK Time)

Email: info@dataprivacyservices.co.uk

Phone: 0808 101 0155

Key Services
Support & Help
Partnering and Referrals
Legal

Data Privacy and Security Services Limited © Copyright 2025

ICO NO. ZB313468

Thank you for contacting us

We will respond shortly

Note – if you do not receive an email from us please check your spam folder as we normally respond within 2 hours.

Home
Data Privacy Services
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.