Is personal data protection ‘business as usual’ for your organisation?

The GDPR now forms part of the Data Protection Act 2018,
and it concerns so much more than consent to send email.
Are you fully compliant with the new law?

Oyster IMS specialise in information governance, data protection and privacy.

About GDPR

About GDPR

The GDPR passed into UK law on 25 May 2018. A major legislative change that will continue to impact every business in the UK, Europe and beyond.

The Data Protection Act 2018 is a significant development in ensuring the privacy of personal data, giving individuals greater control over their data, including the ability to export it, withdraw consent and request access to it.

The law also create a number of obligations for organisations that hold any personal data.
These include responsibilities to ensure the privacy of all personal data, to keep up-to-date records of their data processing activities, and to employ processes which both limit any potential impacts of processing personal information and enable individuals to exercise their legal rights.

The new Data Protection Act ensures that the GDPR applies in the UK irrespective of Brexit.



What is a ROPA?

ROPA stands for Record of Processing Activities.  

Article 30 of the GDPR requires you to maintain a record of processing activities.

You will be required to produce this, if requested by the supervisory authority, e.g. the Information Commissioner’s Office (ICO) in the UK.

The ROPA must include a comprehensive overview of the processing activities you undertake. The ROPA lists every single processing activity, describing the exact usage of the data, the technical and organisational measures that have been put in place for the protection of the data. It shows who is affected by data processing, the recipient of data processed, and any other data processors. The ROPA should also include a risk analysis.

A ROPA demonstrates your organisation’s GDPR compliance and so it is essential that it is well-managed and organised.

How do I find out how compliant I am? What do I need to do next?

The first step is to recognise that something needs to be done, this shouldn’t be ignored and should be done as soon as possible.

The next step is to assess your current situation to establish how compliant you are and what to do next – “Where are we now? “And where do we need to be?”

Once you know where you need to be, you can make a considered decision and include GDPR compliance requirements into your overall risk and compliance framework.

Your approach to auditing should provide a measure of two key factors: Risk and Readiness.

The steps towards compliance depend on your circumstances, so there is no fixed template which will suit all organisations. Variations in size, activity and operations mean that each organisation will have a unique risk profile that can vary considerably.

Understand YOUR risk and get an expert view of YOUR readiness for the GDPR – >> Book your Risk and Readiness Review 

What are the big risk areas?

This is one of the hardest areas to address, the areas and size of risk will vary for every organisation – this really needs to be evaluated by a proper Risk Assessment.

One thing to bear in mind is that the risk should be evaluated from the point of view of the individual and should be judged according to the size or scale of the risk to the individual.

The GDPR describes the risk areas but there is an element of judgement for each organisation. It is not as simple as measuring how many individuals’ data you process, but rather the type of data and extent of processing – all factors which affect the level of risk.

For example, if you are responsible for a small amount of personal data which could, if not properly managed, present a very serious potential impact on the individual, then the risk must be judged as high, and you must take appropriate steps to mitigate risks and safeguard the personal data.

What is personal data?

Article 4 of the GDPR uses quite a broad definition of personal data as:

“… any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”

In effect, personal data is anything about an individual. This includes personal data collected as part of internal business processes e.g. HR records, contracts and payroll, as well as records of customers, members, prospects and subscribers.

It should be noted that from a Sales and Marketing perspective, personal data exists in both Business to Consumer activities (B2C) as well as Business to Business (B2B).

What personal data do you hold?

What is a Personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. A breach occurs if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach.

What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
You must do a DPIA for processing that is likely to result in a high risk to individuals.

It is also good practice to do a DPIA for any major project which requires the processing of personal data.

Your DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

What are the benefits of being compliant with the GDPR?

As the protection of privacy becomes ever more of an issue for individuals, having a good reputation in this respect will become a differentiator and will allow customers to make a more informed choice based on trust.

– The processes for ensuring compliance should also support good information governance, while generating procedural and operational efficiencies, including storage and costs savings.

– Concepts such as Privacy by Design can help to ensure that operational processes are planned and developed in a way that helps to avoid later disruption, manage reputation, and drive the quality of products and services.

– New GDPR requirements such as pseudonymisation and encryption of personal data will help to support big data analytics, by ensuring that large volumes of data provided for analysis are delivered in a way which supports the privacy of the individual, and helps to release the value of that information.

Find out how compliance can be a transformation project.

What is a DPO?

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.



What does a Data Protection Officer do and who can be a DPO?

Organisations must appoint a DPO if they are a public body, or process sensitive data on a large scale or complete regular and systematic monitoring of data subjects. Deciding what is meant by large scale is open to interpretation but organisations would be advised to err on the side of caution. Earlier thoughts during the development of the GDPR about the need for a DPO indicated larger organisations would need one. If you meet that threshold and decide not to have a DPO, you will need compelling reasons.

Larger organisations – those with over 250 staff – have additional responsibilities including the requirement to document all processes involving the handling of personal data.

A DPO doesn’t need to be a specified member of staff, as a third party can be used. In Germany, this practice has been in use for some time, with specialist agencies offering DPO services.

It’s essential that the DPO has a level of independence and authority with regard to the organisation.

It’s also very important to establish that a DPO has the appropriate skill levels, training and ability to access the information they require.

It is therefore critical that the DPO has the ability to both understand the law and how it should be applied within the organisation, This expertise must be applied to an understanding of the ways that the organisation acquires and processes information, as well as the security and protection measures employed.

It’s quite likely that many individuals who currently have the role of data protection representative, may not be suited to the new DPO role.

Will you need a DPO?

Can we contract out the role of the DPO?

You can contract out the role of DPO externally, based on a service contract with an individual or an organisation. It’s important to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
More information on our DPO Managed Service

My business is registered for Data Protection already – what has changed?

The initial change is that you no longer have to register. If you capture, keep or process any personal data of data subjects who are in the European Union then you are subject to the GDPR.

There are a number of major new requirements in the GDPR, (see below), but for those companies which have good procedures to comply with the current DPA, the transition to the GDPR should be easier to manage.

The regulator has lots of new rights, including very hefty financial penalties and the right to stop or restrict you from processing any personal data. For example, the regulator can audit your personal data processes, which must be documented, requiring you to produce all those procedural records.

Does it apply to everyone; how can I find out if it applies to me?

The GDPR applies to every organisation that uses personal data to provide goods or services to anyone residing in an EU country. This rule applies irrespective of the location of the organisation itself, so UK businesses are directly affected. There are some rare exceptions in regard to law enforcement agencies.

It covers any organisation which offer goods or services, which includes both paid for and free services; or any organisation who monitor the behaviour of data subjects within the EU.

In short, if you provide any services to residents or citizens of the EU, the GDPR applies to you.

What are the new requirements?

Breach notification – An important requirement that companies must notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects may also have to be notified, but only if the breached data poses a “high risk to their rights and freedoms”

Fines – The higher fines are generally applied if the rights of individuals have been breached, if there are issues around international transfer and where there is non-compliance with the regulator. The second tier of fines, which are still significant, refer to more procedural and operational failures.

The Right to Erasure and To Be Forgotten –The GDPR includes rights for personal data published on the web. This relates to the right to stay out of the public view and “be forgotten”.

Extraterritoriality – This new principle says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects, e.g. through a website, then all the requirements of the GDPR will apply. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.

Privacy by Design (PbD) – The new law makes explicit the principles of minimising data collection, retention and gaining consent from consumers when processing data.

Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies must first analyse the risks to their privacy.

The new requirements will mean changes for all organisations

Why has this new law been brought in?

The General Data Protection Regulation (GDPR) is a regulation which intends to strengthen and unify data protection for individuals within the European Union (EU).

The GDPR covers personal data. (Sometimes referred to as personally identifiable information – PII). This includes names, addresses, phone numbers, account numbers, email and IP addresses.

The goal of the GDPR is to give control and power over personal data back to users. It’s your personal data but in many cases you’re not really in control of it. The new law is a significant development for personal privacy which aims to return the balance back in favour of the individual.

The GDPR takes into account the many advances in new technology and media.

When the existing Data Protection Act (DPA) was introduced, in 1998, the internet was very new. People didn’t understand the full implications of what it would lead to. Additional developments such as social media and cloud computing have drastically altered the information landscape. It is clear that far more information is now being held, processed and transferred. Our personal data now contains many more types of information and it is used in more ways than ever before.

The GDPR adds new requirements for documenting procedures, performing risk assessments, notifying the consumer or user and authorities when there is a breach, as well as strengthening rules for data minimisation.

In summary, the GDPR legislates a lot of common sense data security and privacy ideas: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access and secure data through its entire lifecycle.

Will the law change the way in which I can contact my customers?

Where you have existing customers, i.e. persons to whom you have provided a product or service – even if provided free of charge – you are permitted to stay in contact with them, provided that you:

a) can provide evidence that they are your customers, and
b) you offer them at all times the opportunity and ability to decline future contact with your organisation.

You may hold other personal data, for which you rely on the consent of the data subject, e.g. lists of leads, prospects, website contacts or blog subscribers. In these cases, it is essential that:
– their consent was freely and knowingly given, and that you can prove this,
– that you use their information only for purposes consistent with the consent that was given,
– that the data subjects have the opportunity to withdraw their consent.

This area is complex, and the exact way in which the regulations should be applied will be dependent on the ways in which any existing personal data – and consent – was acquired. Furthermore, it is essential to plan and implement compliant processes and systems that follow a Privacy by Design framework to ensure that all personal data held or processed in the future is secure. Above all, it’s essential that you document all your processes concerning the handling of personal data, and that these are designed with the individual’s privacy rights as the main consideration.

How can you introduce Privacy by Design?

Do we just need some new policies?

Compliance with the GDPR means properly designing and documenting compliant systems, procedures and processes which ensure the protection of personal data. This starts with executive ownership of the responsibility for personal data and will also entail training, good record keeping and the review of working practices.

The law has new requirements regarding the use of consent and how it should be obtained. To ensure individuals are being treated fairly, consent must be freely given and individuals fully informed. It is not acceptable to rely on silence or inactivity as consent.

It is definitely not enough to publish a policy which describes the intent to comply with GDPR.

Compliant procedures, systems and training are essential to GDPR.

What is Privacy by Design?

Privacy by design is an approach to projects that promotes Privacy and Data Protection compliance from the start.

Privacy and Data Protection obligations must not be an afterthought. They should be key considerations from the beginning of any project and then throughout its lifecycle.

Consideration should be given when building a new IT system which will store personal data, developing policies and using data for new purposes.

The GDPR requires organisations to implement technical and organisational measures to show that they have considered and integrated data protection measures into their data processing activities.





Demonstrating active compliance can be a great competitive differentiator, indicating to your customers that you take seriously the importance and responsibilities of personal data and privacy. Knowing that your organisation can comply will relieve concerns for both your and your customers.

Cyber Security

Cyber Security

New GDPR requirements such as pseudonymisation and encryption of personal data will help to support security, ensuring that data is held in a way which makes it much less valuable to attackers.

Information Governance

Information Governance

The processes you put in place to ensure compliance should also support good information governance, while generating procedural and operational efficiencies, including storage and costs savings.



Concepts such as Privacy by Design an help to ensure that operational processes are planned and developed in a way that helps to avoid later disruption, manage reputation, and drive the quality of products and services.



Effective and compliant tools can support your data protection and privacy measures, from file analytics to the use of secure repositories and tools to support retention policies and records management.

GDPR services

GDPR services

Risk and Readiness Assessment

Risk and Readiness Assessment

GDPR is much more than a compliance project, for us it represents a positive cultural shift in favour of our customers

A Risk and Readiness Assessment is a scoping and planning exercise consisting of:

  • Project Initiation and Planning
  • Review of Existing Policies and GDPR Progress
  • Stakeholder Interviews and Workshops
  • Analysis and Deliverables Production
  • A Detailed Proposal and Action Plan
  • Executive Presentation

About your assessment

  • You will understand all GDPR related information governance requirements and obligations
  • Delivered by experienced strategic, functional and technical consultants. Our consultants can supplement existing project teams
  • An analysis of people, process and technology aspects of GDPR
  • A comprehensive report of the “as is” GDPR environment
  • Your GDPR risks formalised and prioritised via RAG status
  • Remediation recommendations will cover strategy, tactics and quick wins
  • A fully costed proposal to support the business case for change
  • Services are provided on a project basis or “as a service”
  • A choice of on-premise, cloud-based or hybrid engagement, delivery and support
GDPR projects are led by consultants with qualifications from the International Association of Privacy Professionals (IAPP).

Data Map

Data Map
  • Fully map out and detail all data flows that involve Personal Data. Details must include to/from whom, if outside of the UK, transfer purpose, when, how, frequency, consent, safeguards and if there is a contract in place.
  • Detail data flows of all Personal Data sent outside of the originating country whether it be to the EU or outside of the EU as well as where it is sent internally within the organisation or to any additional third parties.
  • Complete a contract review so that all transfers of Personal Data are supported by sharing agreements with the third party which detail the third parties Data protection obligations.
  • Complete a risk assessment for all data flows involving Personal Data.
    Identify all level risks and implement mitigating actions.
  • Create an audit schedule to regularly update the information. Develop plans so that there is resource available to complete audits within the set timeframes.

Process and Systems Mapping

Process and Systems Mapping

This stage comprises a detailed discovery programme through a close business engagement , and include:

  • Mapping out and documenting details about the key business processes that use Personal Data.
  • A comprehensive information audit of all relevant business systems across the organisation. Including Personal Data stored in paper format.
  • Determining where the organisation is a controller and where they are a processor.
  • Identify and categorise the types of Personal Data used in the processes.
  • Document what Personal Data is held, where it comes from, whom it is shared with and it is stored and used.
  • Complete a risk assessment for all processes involving Personal Data.
  • Identify all risks and implement mitigating actions.

And then:

  • Create an audit schedule to regularly update the information. Develop plans for a resource available to complete audits within the set timeframes.
  • Create a procedure to update information in the event changes are made to how Personal Data is used in a business process.

Policy and Procedures Review and Creation

Policy and Procedures Review and Creation
  • Full Policy and Procedure review including how compliance is managed and monitored
  • Will include a review of how the company intends to meet the new individual rights
  • Commence a review of Privacy Notices to understand how they may have to change
  • Undertake a phased, risk-based Contract Review with all suppliers to understand the current level of data protection provision within supplier contracts
  • Once data movement and transfer has been documented, it will then be possible to identify which ones will need to be updated and with what clauses – general data protection or specific clauses relating to what is being processed and any limitations
  • May require support from a technical solution

Oyster IMS can support in the development of the policy and procedures based on these findings.

Technology Recommendations and Implementation

Outcomes from the Discovery Phase activities will allow you to finalise a programme of remedial and improvement work and associated technology for GDPR compliance.  Your technology options could include:

  • Creation of a secure content repository
  • File analytics to discover dark data and analyse content
  • Scanners and document capture sub-systems
  • Implementation of a document and records management system to manage work product and ongoing retention and disposition
  • Encryption and / or pseudonymisation (in use and in motion)
  • Security incident and event management (SIEM)
  • Policy management system
  • Contract management system
  • Consent management system

Ongoing Support

Ongoing Support

As a leading insurer at Lloyd’s, we take our data protection obligations very seriously. Oyster IMS have provided the expertise and efficient methodology to ensure that we can continue to operate in a compliant way under the GDPR regulations
Head of Information Governance and Privacy

Our GDPR Support Service provides on-site and off-site services to support the implementation of the Action Plan and any other services to support GDPR compliance. Including:

  • Activation and regular review of your Action Plan, based on your Risk and Readiness Review
  • A dedicated Oyster IMS Consultant to join your GDPR team as an external independent expert, attending monthly project meetings and carry out activities
  • Project support from our team of consultants, analysts, technology experts and project management staff
  • Monthly retained services guaranteeing expert Consultant oversight  and Analyst support
  • Access to GDPR Help Desk via Oyster IMS dedicated support portal
  • Advice and support for any other services as are needed to support GDPR compliance.
  • Regular updates on GDPR developments and lessons learned from close engagement with the wider GDPR community (including the regulator)

Download our brochure

  • Your email address is used only to send you the requested brochure. Please see our privacy policy to find out more.

  • This field is for validation purposes and should be left unchanged.

© Copyright 2022 Oyster IMS  |  Web design by Union 10 Design

Oyster IMS statement on impact of COVID-19

We do not believe that this outbreak will have a direct impact on most of our services.

We are continuing to monitor the situation, liaising with partners and suppliers critical to the operation of our services, and all those who are dependent on our business.