Step 4: Implementation

Key considerations

Operational changes

Our recommendations from Stage 3 are likely to include changes to your processes and how data flows in, around and out of your organisation. You should ensure that key stakeholders in your business are aware of the changes which are coming as a result of the GDPR and appreciate the impact this is likely to have. We can provide guidance and liaise with you to ensure that operational changes are properly implemented.


The GDPR introduces new provisions which place a greater emphasis on the accountability and transparency principles which were originally introduced by the DPA. As such, a comprehensive and robust data protection policy is both a valuable internal resource for guidance and best practice, and evidence of compliance.


The GDPR requires certain information to be provided to data subjects by way of privacy notices, including the details of the data controller, the purpose for data capture, and how long their details will be held for. Privacy notices will need to be prepared and provided within the required timeframes.


The GDPR sets out a number of provisions which data controllers must have in place with their data processors. This includes ensuring that the data processing is governed by a legally binding contract between the data controller and data processor.

Privacy by design

Data controllers are required to ensure that appropriate technical and organisational measures, designed to implement data protection principles, are incorporated into any data processing activity to protect the rights of data subjects.


How Cripps Pemberton Greenish can help

We can use the information gathered in the initial data mapping phases to develop a practical policy to meet the needs of your business. This could include things like staff training and reviewing HR policies.

We can also provide training on data protection for your staff.

We can develop internal and external privacy notices to ensure you comply with GDPR obligations. Internal privacy notices would be used for employees (as the GDPR also applies to employee personal data) and external privacy notices would be used for all other personal data you hold.

We can also draft variation agreements to ensure that current contracts are fully compliant, as well as providing template wording for inclusion in future contracts.


Click here for Step 5: Monitoring