Unified Data Privacy Framework

Our Unified Data Privacy Framework is unique

Our Unified Data Privacy Framework is built to GDPR standards and adapts to include other data privacy laws. Take control of your data protection!

Our Unified Data Privacy Framework

  • Gives you full control over managing data protection across your organisation
  • Rationalises what data protection controls should look like in your organisation
  • Fits into any risk management framework you have
  • Puts you in control of data protection management
  • Is built to GDPR standards and adapts to include other data privacy laws (CCPA, PIPEDA, etc.)

Unified Data Privacy Framework overview

Our GDPR framework is in operation for our clients.

Implementing our benchmark GDPR framework gives you full control over managing data protection across your organisation.

Our benchmark GDPR framework provides a simple explanation of what GDPR data protection controls should look like in your organisation.

Our benchmark GDPR framework should fit into any risk management framework you have. If you don’t have one, we will guide you through getting one set up.

If you would like to know more, contact us today.

Here is an executive overview of the GDPR framework in operation illustrating the two primary components, Protect and Comply.

Unified Data Privacy Framework executive overview diagram

protect and comply using the unified data privacy framework

The following diagram shows the components needed to implement Protect and Comply. Following the diagram is a brief description of each framework component.

Unified Data Privacy Framework components diagram

unified data privacy gramework components

area accessThe descriptions provide an executive overview of each framework component and the key GDPR articles to which each component cross-references.


Personal data governance

Personal data governance is a set of components to ensure that personal data is formally managed throughout the enterprise and that all processing, use and behaviour are compliant.

Key articles covered

  • Article 5 – Principles relating to the processing of personal data
  • Article 24 – Responsibility of the controller
  • Article 27 – Representatives of controllers or processors not established in the Union

Data protection policy

Explains how data privacy obligations are met as a Controller and a Processor of personal data. The policy sets out clear objectives for data privacy, clear Roles and Responsibilities, an outline of key control types, and a risk appetite statement.

Key articles covered

  • Article 1 – Subject-matter and objectives
  • Article 2 – Material scope
  • Article 3 – Territorial scope
  • Article 4 – Definitions
  • Article 5.1 – Six principles relating to processing of personal data
  • Article 6 – Lawfulness of processing
  • Article 7 – Conditions for consent
  • Article 9 – Processing of special categories of personal data
  • Article 10 – Processing of personal data relating to criminal convictions and offences

Data protection Officer (DPO)

Job description, role and responsibilities for the Data Protection Officer. The Data Protection Officer is someone with expert knowledge of data protection law and practices who monitors internal compliance. If you are unsure if you need a Data Protection Officer, take our test.

Key articles covered

  • Article 37 – Designation of the data protection officer
  • Article 38 – Position of the data protection officer
  • Article 39 – Tasks of the data protection officer

Advice, oversight, Supervisory Authority (SA) relations

The DPO serves as the single point of contact for personal data advice, overseeing data privacy compliance and managing the relationship with Supervisory Authorities.

Key articles covered

  • Article 31 – Cooperation with the supervisory authority
  • Article 42 – Certification
  • Article 58 – Powers
  • Article 77 – Right to lodge a complaint with a supervisory authority
  • Article 78 – Right to an effective judicial remedy against a supervisory authority
  • Article 79 – Right to an effective judicial remedy against a controller or processor
  • Article 80 – Representation of data subjects
  • Article 81 – Suspension of proceedings
  • Article 82 – Right to compensation and liability
  • Article 83 – General conditions for imposing administrative fines
  • Article 84 – Penalties

Personal data rights treatment

Personal data rights treatment enables transparency with data subjects to know the who, what, why, where, when and how of their personal data use.

Key articles covered

  • Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 – Information to be provided where personal data are collected from the data subject
  • Article 14 – Information to be provided where personal data have not been obtained from the data subject

Enquires, requests, complaints

Ensures that adequate processes are in place to respond to data subject access requests relating to their personal data.

Key articles covered

  • Article 15 – Right of access by the data subject
  • Article 8 – Conditions applicable to child’s consent in relation to information society services
  • Article 11 – Processing which does not require identification
  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 23 – Restrictions
  • Article 26 – Joint controllers

Training and awareness

Preparing material and training to ensure adequate staff knowledge for handling personal data.

Key articles covered

  • All

Records management

Records of data use and processing are created and maintained. Processing has a broad scope covering collection, storage, internal processing, external processing, viewing and transfers. This compoment also deals with other aspects of compliance record keeping.

Key articles covered

  • Article 30 – Records of processing activities

Local legal considerations

Local considerations must also be considered. Examples are variations of data protection laws, mandatory retention of fiscal records, fraud records, Employee records, etc.

Key articles covered

  • Article 85 – Processing and freedom of expression and information
  • Article 86 – Processing and public access to official documents
  • Article 87 – Processing of the national identification number
  • Article 88 – Processing in the context of employment
  • Article 89 – Safeguards and derogations relating to processing for archiving purposes
  • Article 90 – Obligations of secrecy
  • Article 91 – Existing data protection rules of churches and religious associations

Data sharing and transfers

Policy, process and procedures to ensure that personal data is shared and transferred legally, that adequate technical and contractual safeguards are in place and that any Processors have a clearly defined set of operating instructions.

Key articles covered

  • Article 44 – General principle for transfers
  • Article 45 – Transfers based on an adequacy decision
  • Article 46 – Transfers subject to appropriate safeguards
  • Article 47 – Binding corporate rules
  • Article 48 – Transfers or disclosures not authorised by Union law
  • Article 49 – Derogations for specific situations

3rd party compliance

A verification process ensuring that all contracts involving personal data sharing are built correctly, periodically checked and that Processors are inspected or audited to verify their operation within their instructions.

Key articles covered

  • Article 28 – Processor
  • Article 29 – Processing under the authority of the controller or processor

Data risk assessment (DPIA)

Due diligence analysis assessing the level of personal data risk involved, cost avoidance, fit-for-purpose, legal compliance with a proposed solution and mitigation recommendations. This policy underpins the GDPR mantra: “Data privacy by design and default”. All solutions must be seen to take personal data protection into account, and all processing must default to a personal data protection fail-safe state.

Key articles covered

  • Article 25 – Data protection by design and by default
  • Article 35 – Data protection impact assessment
  • Article 36 – Prior consultation

Security and access

Planning, developing and executing security policies and procedures to provide proper authentication, authorisation, access, and auditing of data and security measures.

Key articles covered

  • Article 32 – Security of processing

Breach notification

Planning, development and execution of policies and procedures to notify the organisation’s Executive and, where necessary, inform the ICO and data subjects that a personal data breach has occurred. Failing to notify a severe breach is a serious compliance infraction.

Key articles covered

    • Article 33 – Notification of a personal data breach to the supervisory authority
    • Article 34 – Communication of a personal data breach to the data subject
data protection controls

Data Protection Controls

Head Office

Calle de la Caléndula 93, Miniparc III, Edificio E, 28109, Alcobendas, Madrid, Spain

Call us

+34 915 553 975