How To Guide
How to Comply with GDPR Data Protection Rules
GDPR applies to every UK business handling personal data.
Overview
Straightforward steps achieve compliance for most small businesses.
Step 1: Foundations
Data protection framework.
1
Data Mapping
- List ALL personal data collected
- Document storage locations
- Note who has access
- Record retention periods
2
Privacy Notice
- Clear, plain-English notice
- What you collect and why
- How long kept, who shared with
- Individual rights explained
Step 2: Operations
Day-to-day compliance.
1
Consent
- Freely given, specific, informed
- No pre-ticked boxes
- Record when obtained
- Easy opt-out
2
Security
- Encrypt data at rest and in transit
- Access controls
- MFA on personal data systems
- Annual staff training
Step 3: Rights and Breaches
Handle requests and incidents.
1
SARs
- Respond within 30 days
- Electronic format
- Verify identity first
2
Breaches
- Report to ICO within 72 hours
- Inform affected individuals if high risk
- Document ALL breaches
- Have response plan ready
Warning:
72-hour ICO window starts when you become aware.
2
Lawful Basis for Processing
- Consent: Individual has given clear consent for a specific purpose
- Contract: Processing is necessary to fulfil a contract with the individual
- Legal obligation: Processing is required by law (e.g., tax records, employment law)
- Legitimate interests: Processing is necessary for your legitimate business interests
- Document your lawful basis for EACH type of data processing you perform
- Review lawful basis annually — business activities change over time
3
Data Minimisation and Retention
- Only collect personal data you actually need — no 'just in case' collection
- Review data collection forms: Remove fields that are not essential
- Set clear retention periods for each data type and document them
- Customer data: Retain for duration of relationship plus legal requirements
- Employee records: Keep for 6 years after employment ends (HMRC requirement)
- CCTV footage: Typically 30 days unless incident requires longer retention
- Implement automated deletion schedules where possible
- Conduct annual data purge of expired records
4
International Data Transfers
- Post-Brexit, the UK has its own adequacy decisions for international transfers
- Transfers to EU/EEA countries are permitted under the UK-EU adequacy agreement
- Check if your cloud providers store data outside the UK/EU
- For non-adequate countries, use Standard Contractual Clauses (SCCs)
- Document all international data transfers in your records of processing
- Review transfer mechanisms when changing cloud providers or services
5
Staff Training and Accountability
- Train all staff who handle personal data at least annually
- Include data protection in new employee induction programmes
- Appoint a Data Protection Officer (DPO) if required by your processing activities
- Maintain records of all training completed with dates and attendees
- Create clear procedures for staff to follow when handling data requests
- Conduct regular compliance audits and address gaps promptly
- Keep evidence of compliance measures — you must demonstrate accountability
Pro Tip:
GDPR's accountability principle means it is not enough to comply — you must be able to prove you comply. Keep evidence of everything: policies, training records, consent logs, and DPIA documents.
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.