Legitimate Interest

Legitimate interest is a lawful basis which to some degree is assumed by an organisation when it does not rely on any other lawful basis. Legitimate interest provides a good level of control for the organisation but assumes that the data subject will not object to the processing. If you are relying on legitimate interest, […]


An activity is a process, or part of a process which your organisation undertakes to fulfil its objectives, where an activity processes personal data this should be for a legitimate purpose. Understanding how personal data is used within your organisation is often the starting point of determining where risks lie and how to manage them. […]

Data Subjects Rights

All data subjects have specified rights with respect to the use of their personal data held by a controller or processor.  These rights are: The right to be informed – your data subjects should be clear about what, why and in what way personal data will be processed, usually provided by privacy statements The right […]

Personal Data Breach

A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.  The above definition however does not take into account the impact of the breach, which must be considered if the breach is […]

Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a process that is undertaken when you believe that the activity that you are undertaking has the potential to create a high risk to the data subject.  Within ProvePrivacy, we provide you with a high risk assessment tool to help to determine if a DPIA might be required. […]

Large Scale Processing

There is no clear definition of what ‘large scale’ means, therefore the definition is in some respects open to interpretation.  However, if we were to consider large scale we should take into account: the volume of data the number of individuals concerned the variety of data; the duration of the processing; and the geographical extent […]

Data Protection Officer

The role of a data protection officer (DPO) is to work within the organisation as a representative for data subject rights.  They must be able to inform and advise both the controller and the processor of their obligations, monitor compliance within the organisation, provide advice on assessments such as Data Protection Impact Assessments etc and […]

Sensitive Personal Data

Whilst it is important that all personal data is protected, there are certain activities or categories of personal data which might present a higher risk to the data subject if they were to be mistreated.  These are detailed within the regulation and if these are processed then there is a requirement that further restrictions should […]


Consent is provided by the data subject as a means of granting the organisation permission to carry out a specific processing activity.  It provides the greatest level of control to the data subject, but is arguably the most difficult of the lawful basis to manage operationally. The organisation must be able to demonstrate that it […]


The accountability principle signifies a step change in data protection legislation. This principle requires organisations to be able to demonstrate their adherence to the data protection principles, which in turn means they now need to better understand personal data risk and how it can be mitigated. In order to demonstrate accountability an organisation must now […]