How can I prove my organisation is GDPR compliant?

Proving GPDR Compliance

The GDPR came into effect on May 25th and introduced increased accountability for data.  On top of this, businesses saw increased penalties for failure to comply.

However, unlike with the existing Data Protection Act, compliance alone will not be enough. In order to avoid crippling fines, proving GPDR compliance is of utmost importance. But how can you demonstrate compliance?

In this article we are going to outline some of the accountability measures you can undertake:

Data Protection Audits

If you are not fully aware of all the personal data you store, and where you store it, it will be almost impossible to comply with the GDPR let alone demonstrate compliance. This is why a data protection audits are essential.

The tasks involved include identifying all the personal data that your organisation holds, and reviewing it against the following questions:

  • Why am I holding this data?

  • How did we obtain it?

  • How long will we retain it?

  • How secure is it?

  • Do I ever share it with third parties?

    It is beneficial to look at the flow of data out of your organisation so that you can ensure that its security is maintained for the duration of its life cycle.

Appointment of a Data Protection Officer (DPO)

In certain instances, it may be necessary for your organisation to appoint a DPO.

We have written an additional article to help you decide whether or not this is a necessary step for your organisation. It also includes what duties the role entails, and who is eligible to carry it out.

GDPR Staff Training

Staff Data Protection Training

In preparation for the GDPR, all members of staff should be provided with data protection training. Employers must ensure they understand what changes the new legislation will bring about, and the new policies that will be actionable as of May.

All staff should also be aware of the changes to data breach notifications, as they will be mandatory within 72 hours under the GDPR.

In addition to this, all new employees should receive adequate data protection training before they are given access to personal data.

Privacy Impact Assessments (PIA)

Although PIAs are not a new measure, the GDPR outlines certain cases in which they should be undertaken. PIAs should be carried out when planning out a new initiative which may involve ‘high risk’ data processing.

‘High risk’ is defined as an activity which may compromise the data subjects’ right to privacy, such as systematic evaluations or processing special categories of data like race or medical information. The purpose of conducting a PIA is to identify and minimise non-compliance risk.

Data Protection Policy Reviews

If your organisation already operates in alignment with other data protection policies, it is important that you review them to mitigate any incompatibilities with the GDPR. For example, the GDPR may amend certain rights that overlap with existing policies. Consequently, those policies will also need to be adapted to ensure overall compliance.

During the review of your organisation’s existing policies, you should also consider who the policy primarily applies to. If the policy relates to children, for example, it should use clear and simple language so that it can be easily understood.

It is also essential that existing policies can be easily accessed by their intended audience. Therefore, they can’t be hidden away in a long list of terms and conditions.

Proving GDPR Compliance-Data Protection Privacy Reviews


The ICO encourages the use of pseudonymisation in order to strengthen data security and privacy. It can be defined as the technique of processing data in such a way that the person who it belongs to can no longer be identified unless the data is cross-referenced.

When processing data, this technique can be essential. In particular, when processing data in a way that is separate from the purposes for which it was originally obtained.

Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.

Discover More.

We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.

Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.

Newsletter Sign-Up.

Sign-up for the latest hints, tips and news from the communications industry.