GDPR North East


GDPR North East

GDPR North East – Reduce Risk

GDPR North East – businesses it is time to reduce risk and increase compliance. With Data2Action you’re in safe hands.

Data2Action Ltd are specialists in data privacy and business transformation. Based in the North East of England we work with businesses and organisations of all sizes and across the various sectors. Furthermore, we help our clients to use, protect and unleash value form their data.

GDPR 2018

From the 25th May 2018 all organisations who collect and use personal data (e.g. clients, suppliers or employees) must ensure they’re compliant with new legislation.  The General Data Protection Regulation (and Data Protection Act 2018) now impose significant fines for any organisation who fails to use and protect personal data properly.

You will find the most common and potentially biggest protection risk is poor practice and people ‘mishaps’. Therefore ensuring you and your employees understand the new regulation and how to apply it is paramount to your ongoing success.

Data Protection Officers

As experienced data protection practitioners, Data Protection Officers (DPOs) and members of the International Association of Privacy Professionals, we have a background in helping businesses understand and become compliant with the new regulations.

Data2Action GDPR Services

Our services can be tailored to your specific requirements. Moreover you will find we have cost effective packages based on the size and ‘type’ of your business.

Furthermore we adopt a practical and hands-on approach. Rest assured that we will work with you in the most appropriate way. In conclusion, helping you to achieve and maintain practices and processes aligned to complying with the regulation.

A complete list of our data protection services are detailed below. For further information please contact us via info@data2action.co.uk or 03332026397.


GDPR North East – Service Activity

Phase 1 Review and Gap Analysis

GDPR – Initial Health Check
  • Review, evidence of and high level assessment of current practices
  • Creation of a bespoke risk register and associated action plan
  • Risk register to form basis of Board updates

Phase 2 Closing the gap towards compliance

Implementation of actions identified from the healthcheck which may include:
  1. Training & awareness
  • Annual staff training
  • Ad hoc training
  • Mid-year staff knowledge checks
  1. Records of Processing
  • Comprehensive data mapping exercise to identify all sources or personal data
  • Documented records of processing activity in line with GDPR requirements
  1. Third party processing:
  • Complete Record of Processing for all 3rd party processors/ sub processors
  • Establish Data Processing Agreements for all 3rd party processors
  • Document due diligence undertaken for each 3rd party processor and implement systematic review processes to ensure ongoing due diligence
  • Ensure all relevant staff are fully trained to monitor and ensure adequate processing practices are in place and adhered to by 3rd party processors.
  1. Third country processing:
  • Establish appropriate safeguards exist
  • Evidential documentation of safeguards and monitoring protocol
  1. System Security:
  • Work with IT personnel to review all technological security measures Evidential documentation of safeguards and monitoring protocol
  • Document processes and controls to govern system access rights
  • Review and/ or create an Information Security Policy
  • Undertake appropriate and periodic checks to ensure security controls remain robust
  1. Policies:
  • Review/ update and/or create appropriate policies and privacy notices:
  • all policies are documented and made available to all staff Data Protection Policy
    • Data Protection Policy
    • Privacy notice (client, employee, 3rd parties)
    • Cookies notice
    • Systems access and acceptable use policies
  1. Breach, Subject Access Requests and Complaints:
  • Creation of:
    • Breach log and process
    • SAR log and process
    • Complaint log and process
    • Data retention log
    • Employee training log
  1. Data Privacy Impact Assessments
  • Determine the necessity for DPIAs
  • Complete all appropriate Data Privacy Impact Assessments
  • Develop & document processes for identifying the need for & completing DPIAs

Phase 3: Ongoing maintenance, management and governance

  1. Data Protection Officer (DPO) outsourced service provision
  • Registration with the ICO as DPO
  • Hands on support for managing data breaches and SARs
  • Liaison with ICO
  • Horizon scanning
  • Quarterly/ half yearly review of:
    • Risk register and action plan; updated accordingly post review
    • SAR log
    • Breach Log
    • Internal audit activity
  1. Board status report (quarterly/ half yearly)
  • Report detailing:
    • Current risk status and associated actions
    • SAR log
    • Breach log/ trends

“Data and information is a fundamental resource and deemed so important to the strategic achievement of objectives within an organisation that it should be treated similarly to that of any other major resource within a business. Accurate data and information need to be precise, timely and available. Furthermore, the information should be structured, have a clear purpose, use familiar language, provide specific context and a shared perception.”

Galliers and Leidner (2003)