Responsibilities of the Data Processor

Broadly speaking a data processor has the same obligations as a data controller, however there are some nuances which should be noted.  Processors must also: Perform only the processing defined by the data controller (or legal requirements) The processor needs to obtain the written consent of the data controller before it can appoint a sub-processor […]


Encryption is the process of encoding a message or information in such a way that only authorised parties can access it and those who are not authorised cannot.   Authorisation is often provided in the form of an alphanumerical decryption key, which can be of different lengths, often measured in ‘bits’.  A 256 bit encryption key […]


Pseudonymisation can be defined as “personal data which is rendered less likely to lead to the identification of the data subject without the use of additional information”  Therefore as long as such additional information is kept separately, pseudonymisation offers some level of additional protection of the data. An example of weak pseudonymisation might include a […]


Anonymised information is information which does not relate to an identified or identifiable person or to personal data rendered anonymous in such a way that the data subject is no longer identifiable.  Anonymisation is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified. An individual may […]

High Risk Assessment

A high risk assessment is not a term specifically noted within the data protection regulation.  It is a term used within ProvePrivacy to refer to a specific assessment of an activity to determine if there are any factors which might be deemed a high risk to the data subject. Our high risk assessment is one […]

Third Countries

A third country is a country which the EU does not deem ‘adequate’ in terms of its laws surrounding data protection.  By nature of the fact that the list of adequate countries is expected to change regularly, by default so will the list of third countries. Any personal data which is being transferred to a […]

Supervisory Authorities

All of the EU’s member states must provide one or more independent supervisory authorities, which must act independently of the government and must be provided with adequate resources to undertake their duties. Supervisory authorities’ tasks will include: Monitoring the application of GDPR Promoting public awareness Handling complaints raised Give advice on processing operations when consulted […]

Data Protection Policy

An important aspect of managing data protection within your organisation is having a clear understanding of how you plan on managing data protection risk.  A data protection policy will help your organisation to define how it will approach data protection and provide colleagues with a clear outline of what is expected of them when data […]

Responsibilities of a Data Controller

A data controller has significant responsibilities under data protection regulation, these include: Comply with the data protection principles Honour the rights of the data subject Deliver data protection by design and by default Implement data protection policy and ensure colleagues understand responsibilities Keep records of processing activities Manage the transfer of data to third parties […]

Record of Processing Activities

A record of processing activities (ROPA) is required in order to help demonstrate that an organisation processes personal data in accordance with the data protection principles.  It identifies how the organisation processes personal data and the activities which it undertakes. Your ROPA must contain the following: The name and details of your organisation (and where […]