GDPR: Our Journey So Far

GDPR: Our Journey So Far

GDPR: Our Journey So Far

Our journey in data protection began in February 2017 with our adoption of the ISO 27001 framework for Information Security Management. This step underscored our commitment to upholding robust data protection standards globally. 

As providers of comprehensive data protection services on a global scale, we not only ensure our own compliance with GDPR but also assist our clients in adhering to various international data protection laws and regulations like EUGDPR, PLPL, CCPA, and CPRA. 

Specialising in Data Protection Officer (DPO) services across diverse sectors worldwide, we emphasise our dedication to safeguarding both personal data and sensitive information.  

Throughout our journey, we’ve recognised the importance of effectively communicating the significance of data protection from senior management to every team member. This understanding is crucial for our business’s success and reputation. 

We remain vigilant about the potential impact of existing and upcoming Data Protection Laws & Regulations, such as GDPR, on both our operations and our clients. Hence, we consistently strive to convey this message promptly and reinforce our internal culture of data security to ensure ongoing compliance.   


Mapping your data  

Unless importance and resource are applied to how your organisation complies to Data Protection Laws such as GDPR, prepare to face the risk of the financial and reputational impact that organisations face due to noncompliance of Data Protection Law and Regulations. 

Take some time out with a DPO specialist, whilst having no distractions and list where you think data is stored. This will help form part of your data mapping.  

Keep it simple to start with, consider: Key aspects of data management and protection, including how personal data is obtained (e.g., through emails, websites, CCTV), types of data collected (e.g., name, date of birth, banking details), storage locations (e.g., PCs, cloud-based systems), access control, and sharing outside of your jurisdiction. It also covers organizational details, purpose of data processing (e.g., compliance with legal requirements), data recipients, and measures to safeguard data privacy during transfers.  

Additionally, this will addresses retention schedules, security measures, privacy notice information, consent records, and controller-processor contracts. Examples include maintaining records of individuals’ consent for data processing and conducting assessments to identify and mitigate risks associated with data processing activities. 

There are several ways of mapping this phase. We used a product called i2 Analyst Notebook to help map our data or “information flow”; but you can use a simple flowchart within Word, or even a large flipchart or board. This will bring your data mapping to life, and you will be able to see and add to your map as the process continues. 



Data Protection Assessment is a vital tool for organizations to ensure compliance with Data Protection laws and regulations. By examining various aspects of the business, such as roles and responsibilities, communication, training, internal audit procedures, marketing activities, data flow, breaches, and subject access request handling, organizations can identify gaps and take necessary actions to address them. This assessment involves asking a series of questions to determine the current state of compliance and what steps need to be taken. 

The process involves reviewing policies, procedures, internal communications, incident logs, and other relevant documents to gather evidence of compliance with Data Protection laws. Once completed, the assessment informs the development of a Data Protection Action Plan. This plan outlines specific actions, sets timelines, allocates responsibilities, and establishes monitoring measures. 

As is with our internal process, regular reassessment through gap analysis is essential to ensure ongoing compliance. Conducting assessments once or twice a year allows organizations to adapt to changes in regulations and business practices, ensuring that Data Protection remains a priority within the organization. Ultimately, this proactive approach helps mitigate risks, protects individuals’ privacy rights, and builds trust with customers and stakeholders. If you’re interested, we can share our assessment questionnaire tool with you.  


Internal process changes 

You have a responsibility under the GDPR to update and review your internal policies and procedures. The aim is ensure they reflect your compliance to the GDPR and communicate these to your employees and third parties. Don’t assume that everyone will comply with your request, talk with them too. Make it part of your organisation’s plan to implement regular Data Protection Training and Privacy Impact Assessments. 

Decisions like how long to retain personal information should be set; who has access to the information (and who does not need access); keeping a record/register of the consents you have; and reviewing your ongoing relationships with individuals and their data. 

Consider also the procedures you will follow if you ever have the misfortune to detect or report a breach. Does your organisation require a dedicated Data Protection Officer (DPO) or someone else to take responsibility for data protection compliance? Who and where do you report a breach to? Do you outsource your data protection compliance?  

Ensure you have a procedure to follow when receiving a Subject Access Request. For instance:

  • how will you source the data you hold
  • how will you redact information where required
  • how will you share the data to the subject securely. Whilst ensuring you handle the SAR within the 30-day deadline as per the GDPR.   

Legal Terms 

The UK General Data Protection Regulation (GDPR) applies to processing conducted by organizations operating within the UK or outside the UK . Mostly, the ones that provide goods or services to individuals within the UK. Eventually, seeking professional advice on data protection will become necessary to ensure that your contracts and privacy notices adequately address legal requirements. 

Determining the legal bases and legitimate interests for controlling or processing personal data of data subjects is crucial. Considerations include: 

  • Training and awareness 
  • Data security 
  • Minimization of data storage 
  • Rights of data subjects 
  • Internal policies and procedures 
  • Compliant marketing strategies 
  • Transfers and restricted transfers 
  • Website privacy notices and cookie banners 

Again, conducting a Data Protection Assessment and Data Mapping, also known under the GDPR as Records of Processing Activities (ROPA), will help identify areas requiring assistance. Once you’ve identified your data, analysed gaps, mapped processes, and consulted with a data protection professional, much of the groundwork will be complete.  


Register with the ICO 

Finally, which many organisations forget to do, register your organisation with the Information Commissioner’s Office or if you are based outside the United Kingdom, a relevant supervisory authority. GDPR will be organic and change over time. Data Protection Professionals provide guidance on current data protection matters, including success stories and failures. They must be reported to the Information Commissioner’s Office (ICO). Keep monitoring the developments, continue to audit your processes and keep your internal housekeeping in order. 

If you make data protection part of your working day and culture, it will become much more manageable. However, if you haven’t done so already, make a start. 

Email us at dpo@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates. 


Our Intelligence | Your Assurance