GDPR: Our Journey So Far

GDPR: Our Journey So Far

Our journey in data protection began in February 2017 with our adoption of the ISO 27001 framework for Information Security Management. This step underscored our commitment to upholding robust data protection standards globally. 

As providers of comprehensive data protection services on a global scale, we not only ensure our own compliance with GDPR but also assist our clients in adhering to various international data protection laws and regulations like EUGDPR, PLPL, CCPA, and CPRA. 

Specialising in Data Protection Officer (DPO) services across diverse sectors worldwide, we emphasise our dedication to safeguarding both personal data and sensitive information.  

Throughout our journey, we’ve recognised the importance of effectively communicating the significance of data protection from senior management to every team member. This understanding is crucial for our business’s success and reputation. 

We remain vigilant about the potential impact of existing and upcoming Data Protection Laws & Regulations, such as GDPR, on both our operations and our clients. Hence, we consistently strive to convey this message promptly and reinforce our internal culture of data security to ensure ongoing compliance.   


Mapping your data  

Unless importance and resource are applied to how your organisation complies to Data Protection Laws such as GDPR, prepare to face the risk of the financial and reputational impact that organisations face due to noncompliance of Data Protection Law and Regulations. 

Take some time out with a DPO specialist, whilst having no distractions and list where you think data is stored. This will help form part of your data mapping.  

Keep it simple to start with, consider: Key aspects of data management and protection, including how personal data is obtained (e.g., through emails, websites, CCTV), types of data collected (e.g., name, date of birth, banking details), storage locations (e.g., PCs, cloud-based systems), access control, and sharing outside of your jurisdiction. It also covers organizational details, purpose of data processing (e.g., compliance with legal requirements), data recipients, and measures to safeguard data privacy during transfers.  

Additionally, this will addresses retention schedules, security measures, privacy notice information, consent records, and controller-processor contracts. Examples include maintaining records of individuals’ consent for data processing and conducting assessments to identify and mitigate risks associated with data processing activities. 

There are several ways of mapping this phase. We used a product called i2 Analyst Notebook to help map our data or “information flow”; but you can use a simple flowchart within Word, or even a large flipchart or board. This will bring your data mapping to life, and you will be able to see and add to your map as the process continues. 



Data Protection Assessment is a vital tool for organizations to ensure compliance with Data Protection laws and regulations. By examining various aspects of the business, such as roles and responsibilities, communication, training, internal audit procedures, marketing activities, data flow, breaches, and subject access request handling, organizations can identify gaps and take necessary actions to address them. This assessment involves asking a series of questions to determine the current state of compliance and what steps need to be taken. 

The process involves reviewing policies, procedures, internal communications, incident logs, and other relevant documents to gather evidence of compliance with Data Protection laws. Once completed, the assessment informs the development of a Data Protection Action Plan. This plan outlines specific actions, sets timelines, allocates responsibilities, and establishes monitoring measures. 

As is with our internal process, regular reassessment through gap analysis is essential to ensure ongoing compliance. Conducting assessments once or twice a year allows organizations to adapt to changes in regulations and business practices, ensuring that Data Protection remains a priority within the organization. Ultimately, this proactive approach helps mitigate risks, protects individuals’ privacy rights, and builds trust with customers and stakeholders. If you’re interested, we can share our assessment questionnaire tool with you.  


Internal process changes 

You have a responsibility under the GDPR to update and review your internal policies and procedures. The aim is ensure they reflect your compliance to the GDPR and communicate these to your employees and third parties. Don’t assume that everyone will comply with your request, talk with them too. Make it part of your organisation’s plan to implement regular Data Protection Training and Privacy Impact Assessments. 

Decisions like how long to retain personal information should be set; who has access to the information (and who does not need access); keeping a record/register of the consents you have; and reviewing your ongoing relationships with individuals and their data. 

Consider also the procedures you will follow if you ever have the misfortune to detect or report a breach. Does your organisation require a dedicated Data Protection Officer (DPO) or someone else to take responsibility for data protection compliance? Who and where do you report a breach to? Do you outsource your data protection compliance?  

Ensure you have a procedure to follow when receiving a Subject Access Request. For instance:

  • how will you source the data you hold
  • how will you redact information where required
  • how will you share the data to the subject securely. Whilst ensuring you handle the SAR within the 30-day deadline as per the GDPR.   

Legal Terms 

The UK General Data Protection Regulation (GDPR) applies to processing conducted by organizations operating within the UK or outside the UK . Mostly, the ones that provide goods or services to individuals within the UK. Eventually, seeking professional advice on data protection will become necessary to ensure that your contracts and privacy notices adequately address legal requirements. 

Determining the legal bases and legitimate interests for controlling or processing personal data of data subjects is crucial. Considerations include: 

  • Training and awareness 
  • Data security 
  • Minimization of data storage 
  • Rights of data subjects 
  • Internal policies and procedures 
  • Compliant marketing strategies 
  • Transfers and restricted transfers 
  • Website privacy notices and cookie banners 

Again, conducting a Data Protection Assessment and Data Mapping, also known under the GDPR as Records of Processing Activities (ROPA), will help identify areas requiring assistance. Once you’ve identified your data, analysed gaps, mapped processes, and consulted with a data protection professional, much of the groundwork will be complete.  


Register with the ICO 

Finally, which many organisations forget to do, register your organisation with the Information Commissioner’s Office or if you are based outside the United Kingdom, a relevant supervisory authority. GDPR will be organic and change over time. Data Protection Professionals provide guidance on current data protection matters, including success stories and failures. They must be reported to the Information Commissioner’s Office (ICO). Keep monitoring the developments, continue to audit your processes and keep your internal housekeeping in order. 

If you make data protection part of your working day and culture, it will become much more manageable. However, if you haven’t done so already, make a start. 

Email us at dpo@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates. 


Our Intelligence | Your Assurance

5 Years on from GDPR

Today marks five years since the General Data Protection Regulation (GDPR) came into effect, revolutionizing the way we handle data. As we commemorate this milestone, we want to share 10 key learning points that have emerged since GDPR’s implementation. We also invite you to reflect on your own experiences by asking open-ended questions that delve into your data protection journey.

Ten Considerations under GDPR

  1. Transparency Matters: Are you aware of how your data is being collected, used, and stored?
  2. Consent is Crucial: Where consent is required, have you ensured explicit consent for processing personal data?
  3. Data Minimization is Key: Are you collecting only the necessary data for your business purposes?
  4. Accountability Is Non-Negotiable: Have you appointed a Data Protection Officer (DPO) or taken necessary steps to ensure accountability?
  5. Security is a Priority: Have you implemented appropriate technical and organizational measures to protect data?
  6. Breach Readiness is Essential: Are you prepared to handle data breaches promptly and effectively?
  7. Privacy Policy Notices Are Informative: Are your privacy notices clear, concise, and easily accessible?
  8. International Data Transfers Require Caution: Do you have appropriate safeguards in place for transferring data internationally?
  9. User Rights Are Empowering: Are you facilitating the exercise of data subjects’ rights, such as access, rectification, and erasure?
  10. Regular Reviews are Essential: Have you conducted periodic assessments and audits to ensure compliance with GDPR?

We are at an interesting time in the world of Data Privacy & Protection, with upcoming privacy and data laws and regulations, such as the Data Protection and Digital Information Bill.

We would love to hear your insights and experiences on these topics, and how you have been preparing for updates and changes? Share your thoughts with us, and together, let’s continue our commitment to data protection excellence. And here’s to another five years of robust data protection!

And? Learn how our comprehensive DPO service can safeguard your business, ensure GDPR compliance, and provide you with the peace of mind.


Lynsey Hanson DPO

Lynsey Hanson | Data Protection Officer



GDPR turns 5 – what have we learned so far?

It has been almost 5 years since the General Data Protection Regulation (GDPR) came into effect in the UK in May 2018.

GDPR turns 05

Key developments and trends that emerged following the introduction of GDPR

  1. Brexit: UK businesses are now subject to the UKGDPR, which largely mirrors the EUGDPR. 
  2. GDPR has resulted in high-profile fines for non-compliance, including a $50 million fine for Google and a $746 million fine against Amazon.   
  3. Some businesses are required to appoint a Data Protection Officer under GDPR.  
  4. Other jurisdictions, such as Brazil, California, and China, have now adopted similar data protection regulations.   
  5. GDPR has increased litigation activity related to data protection.   
  6. The European Data Protection Board was established to oversee GDPR implementation across the EU.  
  7. GDPR imposes restrictions on the transfer of personal data without an adequacy decision.   
  8. The International Data Transfer Agreement replaced Standard Contractual Clauses (SCC’s) used as a Data Transfer safeguard.   
  9. GDPR has led to increased use of data protection tools, such as encryption and pseudonymization.  

How to comply  

  • Review and update your privacy policies and procedures to ensure they comply with GDPR requirements.  
  • Implement appropriate technical and organizational measures to protect personal data.   
  • Appoint a DPO if required under GDPR.  
  • Train staff on GDPR compliance and ensure they are aware of their obligations.  
  • Conduct regular assessments of their compliance to GDPR.  
  • Notify individuals and authorities of any data breaches as required by GDPR.   

TenIntelligence is a leading influence in the due diligence, fraud investigation, brand protection, and cyber security community. Reach out for Virtual Data Protection Officer (DPO) services that ensure your compliance.


Lynsey Hanson

Written by

Lynsey Hanson | Data Protection Officer