How to demonstrate compliance GDPR

GDPR laws were introduced into legislation in 2016 and became legally enforceable in May 2018. The regulations apply across the European Union and protect an individual’s personal data. GDPR laws are in place to ensure organisations only collect and store the data needed for a permitted purpose and for a limited amount of time. Failure to comply with the regulations can have severe consequences. Organisations are responsible for demonstrating their compliance GDPR, so it’s important to know who is responsible for demonstrating GDPR compliance and Cyber Essentials certification for your organisation can take part in improving compliance.

Data protection roles under GDPR

Under GDPR legislation, there are key roles that can help determine who is responsible for demonstrating compliance:

Data subject

A data subject is the individual to whom the collected personal data belongs. Personal data refers to anything that can be used to identify an individual, including name, passport number, financial records, address or employment details.

Under GDPR legislation, data subjects have rights to ensure that their personal information is stored securely, that their right to privacy remains intact, and to prevent organisations from deviating from GDPR rules.

Data controller

A data controller is a person or organisation who decides how a data subject’s personal data will be collected and for what purpose. It’s the data controller‘s responsibility to:

  • Be accountable for lawfully collecting personal data.
  • Create strict security measures, such as encryption, to protect data from unlawful access.
  • Report data breaches if such an incident occurs.

Sometimes, there may be more than one data controller within an organisation. When Data Controllers decide on the purpose of personal data collection, they must ensure confidentiality and that no one or no organisation can access that personal data unauthorised or unlawfully.

Data controller - customer data contact centre

Data processor

A data processor is an individual or third party who processes gathered personal data at the data controller’s request. A data processor‘s primary responsibilities include:

  • Always acting under the specified role the data controller has given them.
  • Processing collected personal data if the data controller permits it.
  • Ensure that when processing data, GDPR is complied with.

Data protection officer

The data protection officer (DPO) is responsible for compliance GDPR throughout an organisation’s whole data collecting process. A data protection officer‘s responsibilities can include:

  • Advising organisations on appropriate measures to take in data collection strategies.
  • Inform organisations they have a responsibility to comply with GDPR laws.
  • Monitor compliance.

Appointing a DPO is only mandatory in one of three situations:

  1. When your organisation is a public authority or body;
  2. If processing data subjects on a large scale;
  3. If performing large scale processing of special categories of personal data and data relating to criminal conviction

Organisations may decide to assign someone already in their organisation in the role of DPO in addition to existing duties, rather than hire externally for a dedicated position.

Supervisory authority

As well as understanding who is responsible for demonstrating compliance with GDPR within an organisation, national supervisory authorities help oversee GDPR compliance and personal data protection within EU countries.

Ireland’s supervisory authority is the Data Protection Commission. It is responsible for upholding the rights of Irish citizens to have their personal data protected under GDPR legislation.

GDPR compliance

The key principles of GDPR

There are seven key principles of GDPR that organisations involved in the collection, storage and processing of personal data must be aware of. This includes data from customers and clients, employees and contractors, or other individuals such as patients, students, or members relevant to your organisation.

Purpose limitation

Personal data collected by organisations should be used only for an explicit purpose. It should not be used for any other reason that contradicts the original purpose of gathering the data. However, according to GDPR Article 5, if personal data is archived for public interests, scientific or historical research purposes, or statistical reasons, this is still in line with the original intent of collecting the personal data.


GDPR regulations state that any personal data gathered must be correct and up to date. If collected data is inaccurate, the necessary steps need to be taken to immediately delete erroneous information and replace it with the correct data.

Data integrity and confidentiality

Data controllers are responsible for ensuring appropriate security measures are in place to protect the integrity and confidentiality of personal data. These security measures must also protect against accidental loss and damage situations.

Storage limitation

This GDPR principle outlines that personal data should kept no longer than necessary for processing purposes and be removed if no longer need for its original stated purpose.

Data minimisation

Following the data minimisation principle means only gathering the data needed and not collecting data that is either unnecessary or hasn’t been authorised to be collected.

Lawfulness, fairness and transparency

The sixth GDPR principle is one of lawfulness, fairness, and transparency. This means that it is essential for data controllers and data processors to adhere to their responsibilities in protecting the data subject’s personal data to comply with the law.

There is an added seventh principle in the GDPR legislation. This principle focuses on the accountability of the data controller and making sure they conduct their duties in a way that adheres to the other six GDPR principles. The data controller is the person responsible for demonstrating GDPR compliance.

What GDPR means for organisations

If an organisation fails to comply with GDPR, it could face legal consequences including bans on processing data, and fines of up to 20 million Euros, or 4% of an organisation’s annual worldwide turnover, depending on which is the greater amount.

Training who is responsible for demonstrating GDPR compliance

Our Cyber Essentials certification can help your organisation determine who is responsible for demonstrating compliance GDPR . Cyber Essentials covers areas such as access control and security configuration. Cyber Essentials certification shows your commitment to protecting personal data, compliance with key GDPR and data protection legislation, and helps your organisation win contracts where certification in Cyber Essentials is necessary.

You may also be interested in our ISO 27001 Introduction Training. This one-day workshop provides a foundational and practical understanding of Information Security, including information security measuring and best practice standards.
who is responsible for demonstrating GDPR compliance - main image

Keep up to date with our latest news!


Related ISO Certifications

ISO 9001 - Quality Management

ISO 9001

Quality Management System ISO 9001 is the internationally recognised global standard for Quality Management Systems. It confirms an organisation’s commitment

ISO 14001 - Environmental Management System

ISO 14001

Environmental Management System ISO 14001 standard is the global standard for organisations wanting to demonstrate their environmental credentials. It

ISO 45001 - Occupational Health and Safety

ISO 45001

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for an occupational health and safety

ISO 50001 - Energy Management Systems

ISO 50001

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve their energy management

ISO 27001 - Information Security Management Systems

ISO 27001

Information Security Management Systems ISO 27001 is the international standard for managing risks related to the security

ISO 22301 - Business Continuity Management Systems

ISO 22301

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. It provides a framework that

ISO 20000-1 - IT Service Management Systems

ISO 20000-1

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality management specifically focused on IT

ISO 13485 - Medical Device

ISO 13485

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements of a quality management system

ISO 27701 - Personal Information Management System

ISO 27701

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management Systems (PIMS), also known as

Personal Information Management System - BS 10012

BS 10012

Personal Information Management System BS 10012 provides a framework for a Personal Information Management System standard, helping you maintain

ISO 27017 - Clour data protection

ISO 27017

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen their current cloud data protection

Cyber Essentials - Certification Europe

Cyber Essentials

Cyber Essentials Cyber Essentials is a globally recognised IT security standard developed by the UK’s National Cyber Security Centre, which is

ISO 20121 - Event sustainability management systems

ISO 20121

Event Sustainability Management Systems ISO 20121 is an internationally recognised standard for event sustainability management systems. It provides organisations


Recent Insights