Know Your Compliance Limited

UK GDPR Bundle Guidance Document

V3.1

PLEASE NOTE: The GDPR Implementing Project Plan accompanies this guidance document and provides specific
actions, requirements and suggestions for using our documents, assessing your readiness and implementing the
GDPR requirements.

UK GDPR BUNDLE GUIDANCE DOCUMENT

1. ABOUT THIS GUIDANCE DOCUMENT

Within your Bundle pack, you will have received our ‘Bundle Instruction’ document, which accompanies
this guidance paper. The instructions provide links to our GDPR resources and gives guidance on using
the checklists and customising your compliance documents.

As there are numerous documents in the Bundle, it can be overwhelming for some organisations’ to
know where to start, which is why we have created this guidance sheet. If you already have a data pro-
tection implementation plan or are knowledgeable about what your obligations and requirements are,
there is no requirement for you to follow the guidance in this document. However, we have used our
own extensive experience, the ICO guidance and other GDPR resources to offer some suggested actions
on where to start with both UK GDPR compliance and the documents in your Bundle.

1.1 THE UK’S DATA PROTECTION FRAMEWORK

The UK is no longer a member of the European Union (EU) and as such now has its own data protection
framework. This largely mirrors the EU General Data Protection Regulation (“ EU GDPR”) which has
been written into UK law by the Brexit Withdrawal Agreement and subsequent UK-EU Trade deal. The UK
GDPR is tailored by the Data Protection Act 2018 and is now in force across the UK for the processing of
personal data.

The Brexit Withdrawal Agreement and subsequent UK-EU Trade deal wrote the EU GDPR into UK law
when the UK left the EU. To further ensure that the regulations functioned adequately within the UK's
legal framework for data protection, the UK's Data Protection, Privacy and Electronic Communications
(Amendments etc) (EU Exit) Regulations 2019 (plus amendments), merged the GDPR and the applied
GDPR into the 'UK GDPR' and also amended the DPA 2018.

The UK GDPR is separated into 99 Articles that each relate to a different area of the Regulation; however,
it also contains 173 Recitals that must be read in conjunction with the main Regulation, as these provide
additional context and guidance in many areas.

1.3 FUTURE UK DATA PROTECTION CHANGES

The Government's department of Digital, Culture, Media and Sport are currently in consultation
regarding some data protection reforms which will see the existing legislation and regulations tweaked
to better suit the UK's data protection framework.

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

The bulk of the existing rules under the UK GDPR and DPA18 will remain in place as the Government
recognise how much time, money and effort UK businesses have put into complying with these
requirements over the past 4 years. The reforms presented in the published paper aim to build on the
key elements of the current UK GDPR, whilst also proposing improvements to the current framework.

2. EXTRACTION & LOCATION

It may sound like an obvious place to start, but once you receive your Bundle, you should extract and
save each of the documents to your own computer/system. We have added each of the individual docu-
ments to folders to make receipt easier, however every organisation will store and use the documents
differently, so it is important that you know where each document is located on your system and if pre-
ferred, rename them.

Extracting and saving each document ensures that you do not have any issues with read-only or pro-
tected mode, which is a common security default if opening and using the documents directly from
emails or .zip folders.

2.1. OBJECTIVES
With so many documents supplied in the Bundle, it is important that you know where to start and which
documents require customisation and specific implementation. This guidance gives suggestions only for
where to begin and how to proceed through the bundle. You are of course welcome to start with any of
the included documents and work through them in any order.

The overall aim is to develop a structured and compliant data protection program that can be used and
understood by all employees and third parties. Having adequate policies and procedures is only part of
the compliance program, and you may already have a data protection regime in place that can be built
upon. It is important to remember that you will not necessarily need to start from scratch in all areas.

3. WHERE TO START
You may be overwhelmed by the volume of documents in the Bundle, but there are 5 main areas that
can start the ball rolling and provide you with a lot more guidance and understanding about how to im-
plement/review your existing data protection program successfully and which areas may need improve-
ment.

NOTE: We have not added a template Appropriate Policy Document (APD) to the Toolkit because: -
 The APD is designed to provide information about the legal basis and safeguards that an organi-
sation has in place for special category data and/or sensitive processing and we have already
covered this in the GDPR Policy & Procedures template, and you will detail the condition for pro-
cessing, lawful basis and data retention in the ‘Information Audit' and 'Processing Register' tem-
plates already

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

 For those firms want to use a separate APD, the ICO already published a free template in Novem-
ber 2019 and we never charge for templates already freely available -
https://ico.org.uk/media/for-organisations/documents/2616286/appropriate-policy-
document.docx

3.1 APPOINT A DATA PROTECTION OFFICER OR RESPONSIBLE PERSON

Depending on the size and nature of your organisation, you may need to appoint a Data Protection Offi-
cer (DPO). Your DPO or appointed person should be one of the first roles created, as it is likely to be
their responsibility to have oversight for the UK GDPR within your organisation and to prepare for and
monitor ongoing compliance.

However, even for those organisations’ who are not obligated to have a DPO, it can still be useful to des-
ignate the data protection function to a specific person or team. Those who do not meet the Article
37(1) requirement to appoint a data protection officer will still need to comply with data subject re-
quests, breach notifications, documentation requirements etc; which a lead/team can be make respon-
sible for.

3.2 AWARENESS
Those in the organisation with key positions and/or the decision makers need to be aware of the time,
resources and budget needed to effectively implement the UK GDPR or to carry out a review of an exist-
ing data protection program, as well as ensuring its continued compliance. It is also essential that em-
ployees are made aware of their obligations and how the UK GDPR applies to them and their role. If you
have also purchased our GDPR Staff Awareness Training Package or use an alternate session/workshop,
you should schedule training sessions on a rolling basis.

3.3 INFORMATION AUDIT

Within your GDPR Document folder, we have provided you with an Excel template for completing an In-
formation Audit. Depending on the size of your organisation, you can either complete one audit, or carry
out one for each business area or department. However, if you do carry out multiple audits, it is essen-
tial to combine and review them once finished to ensure that you do not have any gaps or duplications.

Doing a companywide information audit is one of the ICO's first recommendations for UK GDPR prepara-
tion or where you are reviewing an existing data protection program for compliance. The aim is to map
the personal data flows within your business. We have provided the essential headings in the audit tem-
plate, although you are free to add to/edit them if required.

The information audit is a register of all personal data processed by you, including identifying and re-
cording how it flows into, through and out of the business. Start by identifying any functions, processes
and areas that involve processing personal data (including collecting, using, storing and disclosing). Such
sources can include (but are not limited to): -
 Employee contact details
 Payroll data
 Customer contact details

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

 Mailing lists
 Online forms
 Consultations
 Orders

When you have identified and documented all personal data flowing into the organisation, you should
then record the information for each of the template headings, including the source of the data, legal
basis for processing, purpose, disclosure recipients etc. The headings in the Excel template also come
with descriptions, so we haven’t added further detail for what needs to be completed. The template also
comes with examples for extra guidance.

The information audit allows you to assess and identify what personal data you process and the reasons,
but also serves as a template for ongoing data protection compliance in areas such as data subject rights,
safeguarding measures, retention periods and personal data reviews.

3.4 PROCESSING ACTIVITIES REGISTER

Again, a complete Processing Activities Register template has been included in your Bundle, with the ne-
cessary headings to comply with the UK GDPR (tailored by the Data Protection Act 2018 requirements).
Not all organisations are required to maintain a record of their processing activities (see the Data Protec-
tion Policy or Article 30 for the conditions), however it can be completed voluntarily as an internal record
of your processing activities.

If you are required to keep such records, you should complete the register as your next action (or if you
are choosing to complete it voluntarily). Some of the headings in the processing activities register are du-
plicated from the information audit, so the data can be moved across, although this register does have
specific requirements for documenting the purpose and type of processing activities, as well as the cat-
egories of data subjects & personal data and what technical and organisational security measures are in
place.

There are slightly different requirements in the records for controllers and processors, so we have added
a tab in the template for both options. The processing activities register comes with descriptions above
the headings and we have also provided examples for both controller and processor records.

3.5 GDPR COMPLIANCE CHECKLIST

We have included a GDPR compliance checklist in your Bundle, and whilst it may be tempting to try and
get all measures in place first and then complete the checklist so that you can show full compliance; the
aim of the checklist is to identify gaps so do not worry if you have areas of non-compliance.

We would recommend at this stage completing the GDPR checklist; your bundle instruction sheet
provides a walk-though on using the checklist and how to use the filters and action plan. There is also a
Word version of the GDPR checklist should you prefer this format.

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

Once the checklist has been completed, you will have a working list of any functions or areas that have
gaps, need improvement or are non-compliant. With this list, you are now able to use the action plan
and document the measures and actions that you will take to gain compliance in each area.

4. POLICIES & PROCEDURES

Once you have completed the actions in section 3, you will now have a structured list of steps that you
need to take to implement/update UK GDPR compliance. We have detailed in this section some sug-
gested actions for next steps to take when working through the bundle documents.

4.1 CONSENT MECHANISMS & PRIVACY NOTICES

Your Bundle includes a template Privacy Notice, although if you have been collecting personal data previ-
ously, you may already have such a notice in place. You should now review the content of any existing
notice(s) to ensure that they contain the Article 13/14 information disclosures and comply with the Reg-
ulation. Your instruction document contains a link to detailed privacy notice guidance from the ICO,
which is also useful.

Your notices need to be clear, legible, easy to understand and easy to access and should not be bundled
with any other materials (i.e. T&C’s) or matters that may confuse the individual. If you are relying on con-
sent in any of your processing activities, you will also need to review your consent mechanisms and en-
sure that they are granular, opt-in and again, not bundled with any T&C’s or other materials.

You must be able to evidence when and how you obtain consent, and show a positive opt-in (tick-box,
signature etc), along with date and time. This also applies to previous consents, so if you cannot demon-
strate that previous consents comply with the UK GDPR requirements, they will need to be re-obtained.

It is possible that some organisations will have more than one privacy notice, so we have included a Pri-
vacy Notice Register where you can record each notice, along with essential details about each. You may
have one for employees, one for customers, one for online marketing etc, and each is likely to have dif-
ferent content (maybe some with consent and some without), so having a register keeps track of them
and helps with the requirement of reviewing the notices on a regular basis.

You may also have different formats for the notice, which again should be recorded on the register (i.e.
paper, online, electronic etc). When reviewing/developing consent mechanisms, the ICO suggest that
organisations: -
o Check that consent is the most appropriate lawful bases for processing
o Ensure that consent requests are clear, prominent and separate from any T&C’s
o Give granular options to consent separately to different types of processing (if appropri-
ate)
o Provide name & contact details of your business & any relevant third-party who will rely
on the consent
o Explain the right to withdraw consent, note how to do this & make it simple and clear

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

o Ensure individuals can refuse to consent without detriment & that it is not a precondition
of a service
o Have mechanisms for recording and managing consent, recording how & when consent
was obtained
o Regularly review consent to check that the relationship, processing and the purposes have
not changed
o Online Services for Children - if applicable, you must ensure that you have effective sys-
tems and controls in place to manage the consent mechanisms. Consider processes for
verifying the age of an individual and if applicable, ensure that you obtain parent/guard-
ian consent to process the data of a child 13 years or under. Privacy notices aimed at chil-
dren must be concise, clear, easy to understand, easy to access and be reviewed regularly.

4.2 POLICY & PROCEDURE CUSTOMISATION

You can now start working through the policies, procedures, and templates in the Bundle. The policies
and procedures provided in the bundle are mostly ready-to-use and come with the UK GDPR require-
ments and procedures. You can use the guidance in the instruction document to corporate brand the
documents, and each comes with standard version control sections. The instruction document also pro-
vides guidance for the areas that require customisation and editing.

As the documents have been designed to offer a comprehensive data protection and information man-
agement program, they are naturally detailed and extensive. The main Data Protection Policy & Proce-
dures extends to over 30 pages, but there may be some areas that differing business types can amend
or remove.

NOTE: We have covered the requirements and obligations applicable to both controllers and processors
as we have organisations from every industry using our templates. Whilst this may mean customising or
removing some sections, this ensures a complete document for all business types and sizes without du-
plication or extra cost.

If you have specific or existing procedures in place for any of the requirements already covered in the
policy documents, you can edit/overwrite what has already been provided. It is essential that the
procedures in the policy documents are ones that you will follow and are relevant to your organisation.

As the main Data Protection Policy & Procedures contains many of the data protection processes and
content, you are welcome to separate the sections into individual policy documents if preferred.
However, using the one main document is the standard approach and we have already provided the
main policies in standalone formats, such as Data Retention, Breach, Transfers, SAR Procedures etc. This
Data Protection Policy & Procedures also provides you with many actions and functions for UK GDPR
compliance, so can be read and used alongside the GDPR checklist to understand and implement
compliance measures and controls.

The documents for breaches, retention, transfers and SAR’s are ready-to-use, but should be customised
if you have differing processes in place or intend to comply with the Regulation through different

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

actions. You should also at this point complete the Data Retention Schedule found in the Data Retention
Policy, as every firm will have their own retention periods and records.

4.3 DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Not all firms are required to complete a DPIA (see the Data Protection Policy or Article 35 for conditions),
however as with the processing activities register, some firms complete a DPIA even where it is not
mandatory as the process provides extensive information about each processing function and how best
to protect the personal data and data subjects and to identify and risks.

In your bundle, you will find extensive DPIA procedures and Excel templates for completing an impact
assessment on any processing functions that are high risk. We have not gone into detail here as the DPIA
procedures in the Bundle are detailed and provide a walk-through for carrying out such assessments.

4.4 PROCESSOR AGREEMENT TEMPLATE

We have included an agreement template in the Bundle for controllers using processor(s). This
agreement meets the requirements of Article 28 and other relevant Regulations. The template can be
customised for each processor and comes with customisation sections for the specific of each processing
activity. We have also provided a processor notification template to advise your existing processors of
the impending changes are your/their obligations.

4.5EU REPRESENTATIVE REQUIREMENT

As the UK is no longer a member of the EU, if your company offers products/services to individuals in the
EEA or you monitor the behaviour of individuals in the EEA, you will still need to comply with the EU
GDPR.
This is relevant to UK based businesses who do not have a branch, office or other establishment in any
other EU or EEA state. As such, you are required under Article 27 of the EU GDPR to appoint a represent-
ative in the EEA. If you process personal data in more than one EEA state, you should choose a repres-
entative where the majority of the data is processed.
The EU representative must be designated and authorised in writing by a mandate to act on your behalf
regarding all EU GDPR compliance. They will be the point of contact for EEA based individuals and can
deal with any supervisory authorities.
The ICO notes that 'the representative can be an individual, or a company or organisation established in
the EEA, and must be able to represent you regarding your obligations under the EU GDPR'. You should
include details of the EU representative in your Privacy Notice, on your website and in your SAR proced-
ures.

4.6 TRANSFERS OUTSIDE THE UK

The UK GDPR is closely aligned with the version of the GDPR previously followed by the UK and as of the
28th of June 2021, the EU Commission approved the adequacy decisions for the UK, meaning that the EU
has determined the UK’s data protection laws to be robust enough to ensure data can continue to safely
flow to the UK from the EU (and EEA). Data transfers outside the UK are referred to as ‘restricted
transfers’.

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

The UK has carried over the 42 Adequacy Decisions (known in the UK as Adequacy Regulations) already
afforded by the EC, so that personal data can continue to be transferred from the UK to those countries
now that the UK has left the EU.
IDTA Replaces Standard Contract Clauses
On 2nd February 2022, the Secretary of State laid the International Data Transfer Agreement (IDTA)
before Parliament, with an enforcement date of 21st March 2022. Restricted transfers to a third country
or an international organisation that do not have an adequacy regulation in place can only be made
where there are the appropriate safeguards in place to protect the data.

The IDTA is one of these safeguards and replaces the previously relied upon EU standard contractual
clauses (SCC). You can find the ICO agreements, guidance and transitional provisions at
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/international-data-transfer-agreement-and-guidance

ICO Transfer Risk Assessment Tool

You must complete a risk assessment when using relying on one of the UK GDPR’s Article 46 tools for
restricted transfers. The ICO has already published a Transfer Risk Assessment Tool for use alongside the
IDTA and other safeguard measures. We have therefore not duplicated this tool as it is already freely
available from the ICO website.

5. OTHER SUGGESTIONS
Once you have completed all the above actions, you should have a good understanding of the UK GDPR
and your preparation needs and be well on your way towards having a robust and compliant data
protection program. We have added a few more suggested actions below.

5.1 STAFF TRAINING & GUIDANCE

Your Data Protection Policy & Procedures can also be a guidance document for employees; however, for
those directly involved in the processing of personal data, you should ensure a robust and thorough
program for their support and training.

Implement procedures to guide staff on how to manage the personal data that you hold and what to do
when individuals exercise their rights (i.e. subject access or rectification). Reporting lines and DPO details
(if applicable) should be disseminated, with specific data protection training workshops being included in
all induction programs, as well as on a regular basis for existing staff or those returning after absences.

5.2 DATA SUBJECTS RIGHTS

Your Data Protection Policy & Procedures contains procedures and content for allowing data subjects to
exercise their rights and guidance for processing such requests (timeframes, notifications etc). We have
also included a dedicated document for Subject Access Requests & Erasures for you to use and follow.

There are several rights for individuals under the UK GDPR, so having clear procedures and mechanisms
in place to allow for the exercising of such rights is essential. Subject access requests, rectifying data,
erasure & restricted processing all require a written process that employees can understand and follow.

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com

 Know Your Compliance Limited
UK GDPR Bundle Guidance Document
V3.1

In most cases, requests should be actioned within one month of receipt and be free of charge, with
communication being in a concise, intelligible and easily accessible form. Your information audit can be
useful for data subject requests in identifying where data is located, in what format and any disclosure
recipients.

5.3 DATA PORTABILITY

This area has new requirements for data protection and in certain circumstances, organisations are
expected to have controls and systems for enabling individuals to 'receive their personal data in a
structured, commonly used and machine-readable format and have the right to transmit that data to
another controller without hindrance'. The ICO suggest that businesses: -
o Implement a process that will enable individuals to submit a request
o Ensure that the medium in which the data is provided has appropriate technical measures
in place to protect the data it contains
o Ensure that the medium in which the data is provided allows individuals to move, copy or
transfer that data easily from one organisation to another without hindrance

5.4 CHILDREN & DATA PROTECTION

The ICO have produced extensive guidance on how the UK GDPR relates to children and what actions
must be taken to ensure that those processing the personal data of a minor are compliant. As the guid-
ance is already in publication, we have not added it to this section, but have added the link to the ICO
page so that organisations can review the guidance directly.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/children-and-the-gdpr/

Further Information
We are always on hand to give guidance about our documents or your compliance requirements. For
more information, email us at [email protected].

Kind Regards

The Know Your Compliance Team

IMPORTANT: It is your responsibility to ensure that your documents and compliance aids meet the regulatory re-
quirements and legal standards applicable to your business. We take every reasonable step to ensure that our
documents are compliant, up-to-date, and accurate, however it is your responsibility to ensure final compliance.

Know Your Compliance Ltd | 01785 593404 | [email protected] | www.knowyourcompliance.com