This web site uses cookies. You are free to manage your cookie settings in your web browser at any time. For more about how we use cookies, please read our data privacy policy.

GDPR framework

GDPR framework, take control of your data protection

GDPR framework
The components in our GDPR framework benchmark model


GDPR framework overview

Our GDPR framework is in operation in our clients.

Implementing our benchmark GDPR framework gives you full control over managing data protection across your organisation.

Our benchmark GDPR framework provides a simple explanation of what GDPR data protection controls should look like in your organisation.

Our benchmark GDPR framework should fit into any risk management framework you have. If you don't have one, we will guide you through getting one set up.

If you would like to know more, contact us today.

Here is an executive overview of the GDPR framework in operation illustrating the two primary components, Protect and Comply.

GDPR framework executive overview diagram

GDPR framework overview

The following diagram shows the components needed to implement Protect and Comply. Following the diagram is a brief description of each GDPR framework component.

GDPR framework components diagram

GDPR framework overview

The descriptions provide an executive overview of each GDPR framework component and the key GDPR articles to which each GDPR framework component cross-references.


Personal data governance

Personal data governance is a set of components to ensure that personal data is formally managed throughout the enterprise and all processing, use and behaviour is GDPR compliant.

Key Key articles covered

  • Article 5 - Principles relating to processing of personal data
  • Article 24 - Responsibility of the controller
  • Article 27 - Representatives of controllers or processors not established in the Union
  • Article 28 - Processor
  • Article 29 - Processing under the authority of the controller or processor

Data protection policy

Explains how GDPR obligations are met as a Controller and a Processor of personal data. The policy is accompanied by a risk appetite and measurement statement.

Key articles covered

  • Article 5 - Principles relating to processing of personal data
  • Article 6 - Lawfulness of processing
  • Article 7 - Conditions for consent
  • Article 8 - Conditions applicable to child's consent in relation to information society services
  • Article 9 - Processing of special categories of personal data

Data Protection Officer (DPO)

Job description, role and responsibilities for the Data Protection Officer. The Data Protection Officer is a person with expert knowledge of data protection law and practices who monitors internal compliance. If you are not sure if you need a Data Protection Officer, take our test.

Key articles covered

  • Article 37 - Designation of the data protection officer
  • Article 38 - Position of the data protection officer
  • Article 39 - Tasks of the data protection officer

Advice, oversight, Supervisory Authority (SA) relations

The DPO serves as the single point of contact for personal data advice, overseeing GDPR compliance across [Organisation name] and managing the relationship with Supervisory Authorities.

Key articles covered

  • Article 31 - Cooperation with the supervisory authority
  • Article 42 - Certification
  • Article 58 - Powers
  • Article 77 - Right to lodge a complaint with a supervisory authority
  • Article 78 - Right to an effective judicial remedy against a supervisory authority
  • Article 79 - Right to an effective judicial remedy against a controller or processor
  • Article 80 - Representation of data subjects
  • Article 81 - Suspension of proceedings
  • Article 82 - Right to compensation and liability
  • Article 83 - General conditions for imposing administrative fines
  • Article 84 - Penalties

Personal data rights treatment

Personal data rights treatment enables transparency with data subjects so that they are aware of the who, what, why, where, when and how of their personal data use.

Key articles covered

  • Article 8 - Conditions applicable to child's consent in relation to information society services
  • Article 11 - Processing which does not require identification
  • Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 - Information to be provided where personal data are collected from the data subject
  • Article 14 - Information to be provided where personal data have not been obtained from the data subject
  • Article 26 - Joint controllers

Enquiries, requests, complaints

Ensuring that adequate processes are in place to respond to data subject requests relating to their personal data.

Key articles covered

  • Article 15 - Right of access by the data subject
  • Article 16 - Right to rectification
  • Article 17 - Right to erasure
  • Article 18 - Right to restriction of processing
  • Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 - Right to data portability
  • Article 21 - Right to object
  • Article 22 - Automated individual decision-making, including profiling

Training and awareness

Preparing material and training to ensure adequate staff knowledge for dealing with personal data.

Key articles covered

  • All

Records management

Records of data use and processing are created and maintained. Processing has a wide scope covering collection, storage, internal processing, external processing, viewing and transfers.

Key articles covered

  • Article 30 - Records of processing activities

Local legal considerations

Local considerations must also be considered. Examples are: mandatory retention of fiscal records, fraud records, Employee records, etc.

Key articles covered

  • Article 85 - Processing and freedom of expression and information
  • Article 86 - Processing and public access to official documents
  • Article 87 - Processing of the national identification number
  • Article 88 - Processing in the context of employment
  • Article 89 - Safeguards and derogations relating to processing for archiving purposes
  • Article 90 - Obligations of secrecy
  • Article 91 - Existing data protection rules of churches and religious associations

Data sharing and transfers

Policy, process and procedures to ensure that personal data is shared and transferred legally, that adequate technical and contractual safeguards are in place and that any Processors have a clearly defined set of operating instructions.

Key articles covered

  • Article 44 - General principle for transfers
  • Article 45 - Transfers based on an adequacy decision
  • Article 46 - Transfers subject to appropriate safeguards
  • Article 47 - Binding corporate rules
  • Article 48 - Transfers or disclosures not authorised by Union law
  • Article 49 - Derogations for specific situations

3rd party compliance confirmation

A verification process to ensure that all contracts involving personal data sharing are periodically checked and that Processors are operating within their set of instructions.

Key articles covered

  • Article 28 - Processor
  • Article 29 - Processing under the authority of the controller or processor

Data risk assessment (DPIA)

Due diligence analysis to assess the level of personal data risk involved, cost avoidance, fit-for-purpose, legal compliance with a proposed solution and mitigation recommendations. This policy underpins the GDPR mantra: "Data privacy by design and default". All solutions must be seen to take personal data protection into account and all processing must default to a personal data protection fail-safe state.

Key articles covered

  • Article 25 - Data protection by design and by default • Article 35 - Data protection impact assessment
  • Article 36 - Prior consultation

Security and access

Planning, development and execution of security policies and procedures to provide proper authentication, authorisation, access, and auditing of data and security measures.

Key articles covered

  • Article 32 - Security of processing

Breach notification

Planning, development and execution of policies and procedures to notify the organisation's Executive and, where necessary, notify the ICO and data subjects that a personal data breach has occurred. Failing to notify a serious breach is a serious compliance infraction.

Key articles covered

    • Article 33 - Notification of a personal data breach to the supervisory authority
    • Article 34 - Communication of a personal data breach to the data subject