Last updated: 11.10.17

How to prove you have met the GDPR legislation within your organisation

When the General Data Protection Regulation (GDPR) legislation comes into effect on 25 May 2018, it will greatly affect how businesses keep data private. According to Helen Dixon, the Irish Data Protection Commissioner, changes will be driven by the new principle of accountability which requires businesses ‘to demonstrate that [they] comply with the principles and states explicitly that this is [their] responsibility’.

So how can you prove your business is meeting GDPR regulations? Although it’s extremely important to demonstrate your compliance to the regulator and to your customers, you also need to consider how to demonstrate compliance through every step of your business – this means ensuring your suppliers are compliant too.

The best way to undertake this is with an internal audit in collaboration with a learning management system (LMS). Getting the staff in your organisation to undertake an audit can showcase where they may have gaps in their knowledge surrounding the issue of data protection. Once you understand those gaps, you can train your staff quickly and easily utilising compliance e-learning supported on an LMS, so you can track your staff’s progress and ensure they complete their training at regular intervals.

This can also be automated and scheduled to meet compliance requirements for each regulator you know is coming – giving you peace of mind in the knowledge that your organisation will always comply to new and existing legislation on time.


A survey conducted by the Information Commissioner’s Office (ICO) found that 75 per cent of adults in the UK don’t trust businesses with their personal data ; they don’t feel like they have control over their data and what happens to it. A report by Informatica found that, out of the 2,000 UK consumers they surveyed, nearly three-quarters (72 per cent) were concerned about the level of protection given to the personal information they shared with brands and organisations online.

Greg Hanson, vice president business operations EMEA, Informatica said that, “It’s clear from this survey that there is a worrying disconnect between UK businesses and consumers when it comes to how their personal data is stored, shared and secured.”

So, when it comes to proving your GDPR compliance with your customers, try putting yourself in their shoes. What would you want to know? What would you want to be reassured about? Centre your GDPR preparations around your customers – be clear and upfront about why you want their data and what you’re going to do with it. For many customers, data transparency makes them feel more in control, so allow data subjects to access their data and correct any inaccuracies or keep it up-to-date.

Share how your business is preparing for GDPR and what that means for your customers, as well as how their data will be used, stored, shared and protected. Informatica found that being transparent about how personal information is used (50 per cent), having a privacy policy in place (43 per cent) and quickly responding to any issues (38 per cent) are the top three things that enterprises can do to earn consumer trust.


In the UK, regulators exercise authority over how organisations adhere to relevant rules in different industries, such as Ofsted for the education sector and the CQC for the healthcare sector. For enforcing the laws that govern privacy, the UK uses the independent regulator called the Information Commissioner’s Office (ICO). Elizabeth Denham, Information Commissioner at the ICO, said in a speech that, when the GDPR legislation comes into effect, “For the most serious violations of the law, my office will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year.

“The GDPR gives regulators the power to enforce in the context of accountability – data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”

To prevent this, your organisation needs to have policies and procedures in place now to ensure everyone in your business understands how to protect the rights and freedoms of your data subjects, as well as measures to show the regulator why you’re using the data and how you’re protecting it.

Under the GDPR legislation, Data Protection Impact Assessments (DPIAs) are intended to help identify and manage risks to personal data. They are also crucial in showing the supervisory authorities (SAs) that a business has done everything it can to ensure data is processed in accordance with the law.

At Virtual College, we create a range of custom and off-the-shelf courses to help organisations ensure their workforce remains up-to-date and compliant with the legislation in their sector. This case study on our work with the NICEIC, the UK electrical contracting industry’s largest independent voluntary body, shows how our e-learning courses are used by electricians to help them ensure compliance with current UK legislation.


As part of the Data Protection Act 1998, you may already prove your organisation is compliant to your customers and the regulator, however, under the new GDPR legislation the burden of personal data protection lies with those who ‘own’ the personal data – in other words data controllers. This means that your organisation will be held accountable for any data privacy breaches of your customers’ personal data that happens along the supply chain, leading to monumental financial and reputational repercussions for your organisation.

Once you understand how your suppliers will handle personal data, you need to have adequate record-keeping processes and procedures in place. This will help you track your suppliers and prove that they operate in compliance with GDPR, so your organisation can evidence that you have followed correct procedures in the event of a data breach.

Although the GDPR legislation is new, data protection compliance has been a standard for many years. In fact, Virtual College has been providing solutions to help organisations track their employee’s compliance since 1995; utilising an easy-to-use cloud-based Learning Management System (LMS), called Enable, to help data protection officers (DPOs) track compliance within their organisation. With easy reporting features and the ability to allocate essential compliance-based training, the LMS can ensure your entire workforce is GDPR ready before May 25 2018. To help you and your organisation get started, click here to register for our free overview of the GDPR legislation.


Related resources