Image of the Naidex Logo

26 & 27
March 2019


CDP Certified

Innovations for the Future of Independent Living

  • Images of the show in hexagons with caption: Discover the innovations transforming the health care sector
  • Images of the show in hexagons with the caption: For the latest Naidex news and event updates #Naidex45
  • Images of peope sitting at a table debating with a quote for the editor of 2A Publishing
  • Man in wheelchair talking to another man, with caption: Providing an unparalleled platform to enter and develop in the £249 billion disability market

GDPR Made Simple: Organisational Measures

Restaurant Tech Live blog post 1

In many parts of the GDPR it mentions “technical and organisational measures” to protect personal data. While the media are increasingly reporting about organisations being hacked, it is often the case that data breaches happen because of organisational failures.

The Data Guardians recommend the following simple and practical ways that you can put organisational measures in place to protect and secure the personal data your organisation controls and processes.

Data Privacy Notice / Privacy Policy

One of the key tenets of the GDPR is transparency. This means telling people what data you’re collecting, why you’re colleting it, what you’re going to do with it and how long you’re going to keep it for and where. The main, and best, means of achieving this is through your Data Privacy Notice (otherwise called Privacy Policy). 

Internal Policies and Procedures

Senior managers need to demonstrate their commitment to data protection and data security and this starts with policies. For your employees to know what to do with these policies, they need to be backed up with detailed procedures, especially when dealing with the dights of the Data Subject, some of which are new such as the Right to Erasure and the Right to Portability. 

Access Control and Compartmentalising Shared Drives

Many think of access control the physical security of the office but this also applies to your IT systems. For example, not everyone needs to have access to your HR or customer databases. The same applies to your internal, or cloud-based, shared drives. By making each department’s area on the drive only accessible to those within that department, you are already minimising the risk that the data held there being compromised. 

Clear Desk Policy

How many times have you walked up to the printer to find a document lying there, which contains confidential or commercially sensitive information in it? At the end of the day have you seen paperwork on people’s desks that really should have been locked away, or at least hidden from view in a drawer? A clear desk policy is critical in securing confidential information.


One of the simplest ways of promoting data protection within your organisaiton is to train your staff. To be compliant you need to be able to demonstrate what actions you have taken to prevent a breach from occurring and that includes making sure employees have been properly trained on data protection and data privacy. 

Implementation and Enforcement

In order for all of this to be effective there needs to be an implementation plan and formally ensuring that the policies and procedures are being adhered to is very important. 

Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) need to be done whenever your organisation is considering a new processing activity, introducing new technology to process customer or employee personal data, or if the processing “is likely to result in a high risk for the rights and freedoms of natural persons” (Article 35). 

Contracts with Third Parties

Many organisations will use other companies to process data. Whenever your organisation sends personal data to another there has to be data protection and confidentiality clauses within the contract. However having such clauses does not absolve the data controller of its responsibilities; it should be remembered that under the GDPR the data controller and data processor are jointly and severally liable for any damage or distress to a data subject. 

Personal Data Breach Plan

Organisations have 72 hours from the time that they are aware of a personal data breach to inform the ICO. Unless organisations have planned for this in advance, they will struggle to fulfil this requirement properly and this failure will only exacerbate the crisis that they now find themselves in.

Come and speak to us!

These measures are really just a starter-for-ten but will set your organisation on the right path. The Data Guardians’ Managing Director Matthew Lamb will be at Naidex giving a seminar on life after the 25th May GDPR deadline and will be happy to answer any questions you can throw at him! For more information on The Data Guardians or to arrange a meeting at Naidex get in touch via We look forward to meeting you!


Follow The Data Guardians

Twitter: @DataGuardians_

Facebook: The Data Guardians

LinkedIn: The Data Guardians 

Naidex is proud to partner with