Lesson 4:  My responsibilities under the GDPR

What is expected of me?

It's vitally important that you have technical and organisational measures in place to demonstrate compliance.

These policies should address data filing and storage as well as the nature, scope, context and purpose of any data processing and the possible associated risks. These policies should also be easily accessible to your data subjects.

The GDPR requires that you implement data protection by design. This means that throughout your organisation you implement not only appropriate security measures, like encryption and pseudonymisation, but also data protection principles to ensure you collect, hold and process only the personal data you need for no longer than needed.

In practice, data protection by design means that when you develop new tools you should be using data protection impact assessments to ensure you identify where personal data may be at risk and can implement effective data protection systems and policies to reduce the risk. 

If you’re a data controller, you must keep records of your purposes of processing, the categories of data held on data subjects, data retention periods and data transfers. Your data security measures should be detailed and appropriate to that risks.

Compliance will be easier if you only collect the data you require, minimise who you share the data with, and minimise how long you keep the data. So review your data collection and retention policies with this in mind,i.e. the less data you hold, the less can be stolen in a breach and the more secure your environment will be.

If you're involved in web-based marketing, the direct practical implications are clear. Most businesses are trying to glean as much information as possible about their customers and new leads by using a digital arsenal that includes web, email and mobile channels. Marketers always want more data —age, income, zip code, education, last book read, favourite colour, etc. Under the GDPR marketers should limit data to the purpose for which it is being collected. Marketers will need to consider whether the favourite colour is needed. They'll also need to consider how long to retain the personal data. For example, at what point should the data on a cold lead no longer be kept.

Do marketers really need the personal data collected from a web campaign five years ago that still sits on their laptop in an Excel file? The risk of retaining it probably outweighs the benefit of holding it. You should consider deleting it because if someone gains access you’ve created a security risk for your customers and potentially a sanctionable breach if it can be traced back to your company.

Breaking it down

I know you are probably thinking: data protection by design – what a nightmare. But really there are just a few core concepts to consider:

  • Minimise data collected
  • Retain personal data for no longer than needed
  • Understand where personal data sits in your organisation and where you’ve shared it so you can ensure your security systems and policies are good enough to protect it and that you can provide individuals with access, if requested.


Data protection by design is referenced heavily in Article 23 of the GDPR and in many other places in the regulation. If your organisation takes it on as a business philosophy and methodology you’ll not only become compliant, but will improve the processes that will, in turn, improve your organisation.


GDPR365 can help you prepare for the GDPR. Our team will help you understand how the regulation applies to you and provide a self-service tool with concrete steps to achieve and ensure ongoing GDPR compliance.

Register a no-obligation account Please contact us to discuss using GDPR365 to become compliant