GDPR imposes an obligation on those who control other people's personal data. Data controllers must be able to demonstrate compliance with 6 essential principles.

In summary, these principles are that personal data must be:

1. processed lawfully, fairly and transparently;
2. collected only for specified legitimate purposes;
3. adequate and relevant, but limited to what's necessary for your stated purpose for processing it;
4. accurate and kept up to date;
5. kept for no longer than necessary for the stated purpose;
6. processed in a way that is secure.

GDPR regulations

What does it mean, in practice, to be able to demonstrate compliance with these principles? Most importantly, you must have appropriate data protection policies and procedures. You may be a very fair person and only ever process data lawfully, fairly and transparently (as required by the GDPR). But if you don't have policies and procedures, you won't be able to demonstrate that.

You'll also have to be able to demonstrate that you correctly implement your policies and procedures and that you have effective compliance measures endorsed by the highest level of management in your business. You'll also have to provide training so that all staff understand what it means to be compliant with data protection principles, and you'll need policies for dealing with poor compliance and data breaches.

The Information Commissioner's Office says that, where appropriate, appointing a data protection officer (DPO) is necessary for demonstrating accountability. Businesses must appoint a DPO if their core activities include: regular and systematic monitoring of individuals on a large scale; or large-scale processing of information relating to criminal offences or 'special categories' – i.e. sensitive information on 8 specific topics, such as racial origin or political beliefs.

We expect most SMEs will not have to appoint a DPO. However, we'd suggest you choose someone to oversee data protection anyway, to help you demonstrate accountability.

Article 30 of the GDPR describes the records of data processing activities that you must keep. For example, the record must include your name and contact details, the purposes of the processing and any recipients of the processing. In effect, this amounts to a data protection audit.

If you employ fewer than 250 employees, you might not have to comply with Article 30. However, the duty to be able to demonstrate compliance applies to all businesses that control data, so if your business does then we'd suggest you conduct a data protection audit.

What this means for you:


If your business controls personal information you must act fairly and in line with the principles of the GDPR. You must also be able to demonstrate this. How you do that will depend on your business and the personal information you control. At the very least, appropriate data protection policies and procedures will help.
You should, however, also conduct an audit of the personal information that your business receives and processes.

How we can help:


Our Privacy and cookie policy for a website will help if you have a website through which you capture customer information. We also have an Employee handbook that instructs staff about the data protection principles and their obligations.
Both documents are compliant with the current Data Protection Act, but we're currently working to update them for the GDPR.

You may also be interested:

identity theft insurance cover

News report exposes 57% increase in Identity theft

Research found that fraudsters scour social media websites to obtain personal data such as name, date of birth, address and bank details and it was claimed that " Facebook, Twitter and LinkedIn had become a "hunting ground" for identity thieves". More than 85% of the frauds were carried out online.

privacy policy

Getting Data Privacy Right

There are new rights for data subjects; new responsibilities for businesses; a new principle: accountability; and much tougher penalties including compensation for data subjects and fines of up to €20 million (more for the very largest companies).

identity theft on the rise

Identity Theft on the rise

ARAG offers telephone advice to Family Legal Solutions policyholders about how they can keep their ID secure, and if something does go wrong a full resolution service is available. This puts our policyholder in touch with a case worker who can assist with drafting letters to financial institutions and suppliers of goods or services.