Entry 6 of 6


Welcome to the sixth and final blog in our 6-part series on GDPR. With so much emphasis on the new regulation and the May 25th deadline drawing closer, we wanted to offer you some assistance in addressing the key questions around the new requirements. As you know, acceptcards® are experts in payments… but not so much in data protection regulations, with this in mind we have invited our friends from Legacy IT Consultants Ltd to write this guest series on our behalf. Enjoy!

The General Data Protection Regulation (GDPR) is an EU regulation that seeks to strengthen and unify data protection for all EU residents. The Accountability Principle means that organisations must be able to demonstrate compliance with the regulations, and it is explicit in stating that this is the responsibility of the organisation.

You must adopt appropriate technical and organisational measures that demonstrate and ensure compliance.

Elements could include:-

  1. Internal data protection policies
  2. Staff training
  3. Awareness campaigns
  4. Documentation and audit of all processing activities (manual and automated)
  5. HR policies

You should also consider:-

  1. Maintaining appropriate documentation on processing activities
  2. Documenting any ongoing control and monitoring mechanisms
  3. Appointing a Data Protection Officer (DPO) – in some cases this is mandatory

To support ongoing compliance, you should implement change management processes that ensure data protection by design and data protection by default.

Elements could include:-

  1. Data minimisation – removing data that is no longer necessary
  2. Pseudonymisation – separating identifiable elements
  3. Anonymisation – masking data so that it is no longer identifiable
  4. Transparency
  5. Process monitoring
  6. Additional checkpoints in the Software Development Lifecycle
  7. Maintaining and enhancing security features and adopting the relevant standards
  8. Data protection impact assessments where appropriate Organisations can also consider adherence to approved Codes of Conduct and / or certification schemes. However, it is not anticipated that these will exist in advance of the enforcement of the GDPR.


Keeping internal records of processing activity is mandatory for organisations with more than 250 employees. Smaller organisations must keep internal records of processing activity for higher risk processing where, for instance, the processing of personal data could result in a risk to the rights and freedoms of the individual, or the processing involves special categories of data.

These records include processing activities involving employee data. This is similar to the details of ‘registrable particulars’ under the Data Protection Act (DPA).

Information that must be recorded includes:-

  1. Name and details of your organisation
  2. Details of other Data Controllers, your representative, and your DPO
  3. Purposes of the processing
  4. Description of the categories of individuals and categories of personal data
  5. Categories or specific details of recipients of personal data
  6. Details of transfers to third countries
  7. Particulars of the transfer mechanism safeguards for third countries
  8. Data retention rules
  9. Description of technical and organisational security measures
  10. Details and implications of cloud services


For more information, advice or assistance on the GDPR please visit the Legacy IT website here or email them at enquiries@legacyit.co.uk

Author: Mike Madden – Legacy It Consultants Ltd.