Why Gydeline?

Just a few reasons why Gydeline is the Compliance Service you need

Striving for Simplicity

We strive to keep compliance as simple as possible. You'll find no scare tactics, hidden costs or unneeded complexity.  Our mission is to provide a tool that can support all your compliance needs.

You Need to Get Started

It's easy to put 'doing the right thing' off.  Being and keeping legal is just good business.  We make the journey easier, guiding you through understandingtaking action and monitoring.

We're Open and Honest

This is not a one stop shop for all compliance needs... we don't think anyone is.  Gydeline is a great platform for compliance; we can connect you to others that can help you achieve your goals, or get the best from your team and existing suppliers.

Making it Affordable

We work hard to keep our prices realistic and within your reach.  You can subscribe for as short as one month. An active subscription will never go up in price. The very nature of our tool allows you to control your compliance implementation costs.

Continuous Updates

When guidance is released by regulatory bodies we integrate the content into our tool and you just have to look at your dashboard to work out if you have anything more to do to align.

A Platform for Compliance

We have built a tool that will, over time, support multiple regulations and standards, much quicker and easier than if these were assessed individually.Your answers COUNT - Collected Once Used Numerous Times

General Data Protection Regulation - Monitoring Requirements

Becoming GDPR compliant is not a one time event.  The regulations state that monitoring your status is a key aspect of complying with the law.  The applicable sections which outline this can be expanded below:

Demonstrate compliance with Processing principles - Article 5(2)

Article 5 - Principles relating to processing of personal data

1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);Does it works offline?
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Able to demonstrate that processing is performed in accordance with this Regulation - Article 24(1)

Article 24 - Responsibility of the controller

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Processor to provide evidence of compliance - Article 28(3)(h)

Article 28 - Processor

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Data Protection Impact Assessment to contain the monitoring measures - Article 35(7)(d)

Article 35 - Data protection impact assessment

7. The assessment shall contain at least:
(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Data Protection Officer tasks include monitoring - Article 39(1)(b,c)

Article 39 - Tasks of the data protection officer

1. The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.


Gydeline could be the answer to your company's compliance

Try Gydeline's Cyber Essentials package for free - just head to our pricing page

Copyright 2016–2018 Gydeline Ltd

Registered in England & Wales No. 09559617 | 48 St Nicholas Street, Bodmin, Cornwall, PL31 1AG | VAT No: 226 0817 24