The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the most comprehensive overhaul of the way personal data is stored, processed and communicated in this country. As an organisation that handles a significant amount of personal data, it is our responsibility to outline our procedures in a transparent manner and explain what we are be doing to comply with the new regulations. 

We have also outlined the basis of the new regulation in a simple and straightforward way. The GDPR is complex and this is not intended to be a complete overview of all the duties we / you need to undertake in order to be compliant. However, it is hoped that by publishing this document, this will enable you to understand how important it is to comply with GDPR, review your organisation’s data processing activities and produce your own policy document.

Introduction to General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016 and came into effect on 25 May 2018. The GDPR replaces the Data Protection Directive 95/46/EC and is intended to harmonise data privacy laws in order to protect the data privacy of all EU citizens. GDPR applies to all organisations (controllers and processors) processing the personal data of EU residents.

For data processing to be lawful under GDPR, organisations must identify and document the legal basis for each of its data processing activities before it processes personal data. 

As with the Data Protection Act, you need to gain consent from the person in order to process their data but there are much stricter rules under the GDPR. Following the introduction of the Act in May 2018, your data processing activity must be communicated in a transparent manner – with particular attention paid to the question of consent.

Failure to comply with the GDPR creates a significant risk for your business. For example a personal data breach could result in a ‘Stop Order’ forcing a shut down of all data processing activity. Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater) for the most serious infringements. It is important to note that these rules apply to both controllers and processors and ‘clouds’ will not be exempt from GDPR enforcement.

GDPR principles

It is not enough just to comply with these principles, you must be able to demonstrate compliance. This means having updated policies about how personal data is managed, responsibilities allocated, staff trained and systems audited. It also means bringing in technical measures to improve safety and security.


Under the GDPR there is a higher standard for consent. Consent is defined as a ‘freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data to him or her’

Consent must be clear and provided in an intelligible and accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Organisations need to ensure that their technology systems to allow for demonstrating consent as well as easy withdrawal of consent. 

Individuals have the right to object to the processing of their personal data for direct marketing purposes.

Breach notifications

Under the GDPR, the supervisory authority needs to be notified of any data breach without undue delay and within 72 hours.  Controllers must also notify data subjects of a data breach involving their personal data unless the breach is unlikely to result in a high risk for the rights and freedoms of the data subjects, or appropriate technical and organisational measures such as encryption were in place at the time of the breach. 

Right of access

The right of access is substantially different under the GDPR. Everyone has the right to obtain confirmation as to whether or not personal data concerning them is being processed as well as details as to the purpose for which this data is processed. 

The GDPR introduces a best practice recommendation that where possible, organisations should provide data subjects with remote access to a self-service system in order to be able to access this information.

Right to be forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, stop any sharing of their data and potentially prevent third parties from processing the data too. The right to be forgotten is not an absolute right and there are certain grounds on which the right to be forgotten can be refused including the right to freedom of expression and information, or where the personal data is processed in the exercise or defence of legal claims.

Data Subject Rights

The full list of data subject rights introduced or strengthened by the GDPR are as follows:

Data portability

GDPR introduces the right for an individual to receive their personal data and to have the right to transmit that data to another controller. This is not an absolute right and only applies in certain circumstances.

Privacy by design

Privacy by design requires data protection to be included in the designing of systems from the start and to be embedded in all data processing activities. The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this regulation and protect the rights of data subjects’ Only data absolutely necessary for the completion of its duties can be processed and access to personal data is limited to those who carry out the processing.

Privacy notices 

Information about how and why you process someone’s data is different under the GDPR.  The information you provide to people about the way you process their data must be:

In addition to explaining how you collect personal data, your identity and how you intend to use the data, you will also need to specify:

It is recommended that current privacy notices are reviewed so that they comply with the GDPR.

For all the latest information about the GDPR please see the ICO website at

Preparing for GDPR checklist

Our current procedures

When a client / customer supplies personal data to dsl, this is given to us in the form of a spreadsheet sent via a secure portal found on our website: outlining the name, address and contact details for the customers, together with details of the debt amount.

This data is then used to contact defaulters to collect debts. 

We also send invoices and statements via email.

Secure Data Portal

Customers are issued with a unique reference number and password that enables the transfer of data via an encrypted portal, following safe receipt dsl carry out a GDPR compliance check of the data and then start the debt collection process. 

DSL customers will still receive paper versions of invoices and statements, unless you request otherwise.

How does DSL use personal data?

In order to collect debts, DSL staff use personal data supplied to us in order to contact individuals and organisations via the following methods:

Data sharing

From time to time, it is necessary for DSL to share personal data with the following:

Risk Register

In order to ensure that we are GDPR compliant, we are compiling a risk register to identify any areas of potential risk for data breaches. As we have less than 250 employees, we will also document processing activities that:

• are not occasional; or

• could result in a risk to the rights and freedoms of individuals; or

• involve the processing of special categories of data or criminal conviction and offence data.

DSL Data Systems are managed and supported by Fathom, Fathom Security Policy accompanies this policy.


Latest Blog Posts
Chamber of commerce industry logo
PCI industry logo
VMG industry logo
Vet Sure industry logo
CSA industry logo

A career with us means being part of a standout business with a clear vision and strong values. We’ll give you everything you need to do a great job, and your contributions will be properly recognised, highly valued and well rewarded.

Latest vacancies
DSL, 2 The Court Yard, Bordesley Business Park, Dagnell End Road, Beoley Vale, Worcestershire, B98 9BH
Phone: 01527 543672
copyright 2023 © DSLUK All Rights Reserved