Office +44 370 600 9700 | Helpdesk +44 370 600 9711

GDPR – Key Areas

Processing Data

What is ‘Processing’?

‘Processing’ refers to any handling or storage of personal data, and GDPR requires that you take steps to ensure you undertake all aspects of data management safely, sensibly and securely.

You must have and record a ‘lawful base’ for processing data – find further details here. Remember that different activities will have different lawful bases – e.g. sending a marketing email requires opt-in consent from the recipient, but sending an email with an invoice after a project is part of a contract and does not require separate consent.

As a controller or processor, it is your responsibility to demonstrate accountability and governance, maintain secure systems, and give people appropriate access to the data you hold on them.

Read more about lawful bases for processing on the ICO website.

How EJC helps

We are a processor when working on behalf of our clients, who are controllers. We make technical, informed decisions about service providers who provide hosting, file management, email and security systems. Each supplier we use is also a processor.

Data storage – we manage both in-house servers and cloud-based storage, ensuring only users with correct permissions can access data.

GDPR requires that you protect against…

Unauthorised or unlawful processing  we make sure that your systems are safe and secure from external attacks, and advise you on best-practice for security and password management.

Accidental loss, destruction or damage – our backup systems mean we can completely or partially restore data which is lost, whether it’s through accidental deletion, software or hardware failure.

Accountability & Governance

What changes under GDPR?

GDPR elevates the significance of accountability and governance and complements its transparency requirements. You are expected to put ‘comprehensive but proportionate’ measures in place to achieve this, which minimise the risk of data breaches, and ensure protection of personal data.

These include the following measures, which we have explained further below:

  • Contracts
  • Documentation
  • Data protection impact assessments
  • Data protection officers

Read more about accountability and governance on the ICO website.

How EJC helps

Safety and security are baked into the EJC approach, from the software, hardware and suppliers we choose, to the advice we give and the systems we set-up.

We can help you to review your technical processes and security, and implement the appropriate measures to ensure you comply.

This might range from password management systems that avoid staff using common passwords like Password1234!, to helping you review security policies or train your staff to avoid ‘phishing’ and other potentially dangerous scams.


Whenever a controller uses a processor, a written contact must be in place, to ensure both parties understand their responsibilities and liabilities. Outsourcing data management to a third-party processor does not absolve you of responsibility as a data controller.

Processors should only act on written instructions of controllers, and take appropriate measures to ensure security and GDPR compliance. Importantly, processors can only engage sub-processors with the consent of a controller, and only with a written contract.

Read more about contracts on the ICO website.

How EJC helps

We are a processor and also engage sub-processors. For example, we might use Microsoft Office 365 to provide an email service directly to our clients. In that situation, because we set-up and manage the account, the client is the controller, we are the processor and Microsoft is the sub-processor.

All of our client contracts ensure compliance with GDPR, and we have a ticket system in place to ensure all requests and communication are documented in writing. We have also completed due diligence on each of our suppliers to ensure they are fully GDPR-compliant.


Companies – controllers and processors – with under 250 employees must document data processing activities that:-

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).

(Companies with over 250 employees must document all processing activity)

The ICO has produced two Excel templates to assist with documentation, one for controllers and one for processors.

Read more about documentation on the ICO website.

How EJC helps

As a processor, and as part of our duties engaging sub-processors, we perform all the relevant documentation duties required of us.

You can view our GDPR Statement here which sets out our responsiblities to our clients.

We can also help you to identify areas you need to document, some of which you might not be aware of, and ensure that you have all the relevant information and technical details.

Data protection impact assessments

DPIAs, also known as Privacy Impact Assessments (PIAs) help to identify and manage problems at an early stage, and help meet an individual’s expectation of privacy.

You must carry out a DPIA whenever you use new technology or systems, and if data processing is likely to result in a high risk to an individual’s rights or freedoms.

Read more about DPIAs on the ICO website.

How EJC helps

Whenever we recommend a new technology or supplier, we help you assess whether a DPIA is required, and if one is needed, can work with to complete it.

Data protection officers

Not every company has to appoint a data protection officer – but you must still ensure your organisation has sufficient staff, skills and understanding to comply with GDPR.

To check whether you need to appoint an officer, you should read more about data protection officers on the ICO website.

How EJC helps

We are not required to appoint a data protection officer, but have made sure we have a full understanding of GDPR at management level, and that our staff are aware of their rights and responsibilities with regard to all data we process, manage or have access to.

More on GDPR

GDPR Resources

Find more information on what GDPR means for you, how you need to prepare and why working with EJC helps you along the way.

Read more

Useful Definitions

Detail on some of the key terms you'll need to understand to ensure you are GDPR-compliant

Read more


An extra focus on GDPR security issues, an area EJC are best-placed to help

Read more

EJC GDPR Statement

Our statement covers how EJC meets the requirements of GDPR

Read more

Need more help?

GDPR can seem pretty daunting. If you'd prefer to just talk through it, click below or call us on 0370 600 9700.

We can arrange an appointment to give you more information and discuss where we can help.

Important reading

The Information Commissioner’s Office (ICO) provides both comprehensive and straightforward advice and information on GDPR. Here are four useful links to make sure you fully understand your responsibilities:

12 Steps

The ICO’s quick twelve-step overview to GDPR


Full and comprehensive guidelines from the ICO


Step-by-step checklists to make sure you’ve covered everything


A series of GDPR ‘mythbusting’ blog posts from the ICO

EJC Logo

Subscribe for Advice and News

To receive the latest advice, news and updates from our team, sign up here.

You have Successfully Subscribed!

Pin It on Pinterest