GDPR Compliant Automation You Can Trust

Appoint a Data Protection Officer (DPO) if required

If your organisation processes large volumes of personal data, handles special category data, or carries out systematic monitoring of individuals, you are legally required to appoint a DPO. Even if not mandatory, appointing one voluntarily demonstrates accountability.

Maintain a Record of Processing Activities (ROPA)

Article 30 of UK GDPR requires most organisations to maintain an up-to-date written record of all data processing activities. This includes the categories of data processed, the purpose, retention periods, and who data is shared with.

Establish a lawful basis for every data processing activity

You must have one of six lawful bases (consent, contract, legal obligation, vital interests, public task, or legitimate interests) for every type of personal data you process. Document your chosen basis — you cannot switch after the fact.

Publish a clear and compliant Privacy Notice

Your Privacy Notice must be written in plain English and cover: who you are, what data you collect, why you collect it, how long you keep it, who you share it with, and how individuals can exercise their rights. Display it prominently on your website and at every data collection point.

Implement a Subject Access Request (SAR) process

Data subjects have the right to request a copy of all personal data you hold about them. You must respond within one calendar month at no charge. Have a documented internal process so SARs are handled consistently and on time.

Obtain valid consent where required

Where consent is your lawful basis, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and vague language do not meet UK GDPR standards. Keep time-stamped records of how and when consent was obtained.

Review and update your cookie policy and consent banner

Under the Privacy and Electronic Communications Regulations (PECR), you must obtain opt-in consent for non-essential cookies before they are placed. Your cookie banner must not use dark patterns that nudge users towards accepting all cookies.

Conduct Data Protection Impact Assessments (DPIAs)

A DPIA is legally required before undertaking high-risk processing activities — such as processing biometric data, large-scale profiling, or using new technologies. Even where not legally required, DPIAs are best practice for any new project involving personal data.

Implement appropriate technical and organisational security measures

UK GDPR Article 32 requires you to implement security measures appropriate to the risk. This includes encryption, access controls, regular security testing, staff training, and clear incident response procedures. “Appropriate” is judged against the risk level, not a fixed standard.

Establish a data breach notification procedure

You must report personal data breaches to the ICO within 72 hours of becoming aware of them (where the breach poses a risk to individuals). If the breach is likely to result in high risk to individuals, you must also notify those individuals without undue delay. Have a documented breach response plan ready before a breach occurs.

Vet and contract with third-party data processors

Any supplier who processes personal data on your behalf is a Data Processor. UK GDPR requires a written Data Processing Agreement (DPA) with every processor, covering what they can do with the data and the security measures they apply. Don’t assume a standard supplier contract covers this.

Ensure lawful international data transfers

Transferring personal data outside the UK requires a lawful transfer mechanism. Common options include the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs. Verify where your cloud providers and SaaS tools store and process data.