Responsibilities of Organisations under the General Data Protection Regulation

The following pages will provide information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights.

The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on one of the following legal grounds.

  1. The consent of the individual concerned.
  2. A contractual obligation between you and the individual.
  3. To satisfy a legal obligation.
  4. To protect the vital interests of the individual.
  5. To carry out a task that is in the public interest.
  6. For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. If the person’s rights override your interests, then you cannot process the data.

The tabs at the side will take you to more detailed information about:

  • Your obligations under data protection.
  • How to respond to an individual exercising their rights.
  • How to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.


The key steps you need to take to ensure compliance with data protection legislation:

  • Identify what personal data you hold (this can be achieved by setting out the information listed in Article 30 of the GDPR or for smaller companies a tailored process such as the accompanying template that identifies details of personal data held).
  • Conduct a risk assessment of the personal data you hold and your data processing activities (Article 24, Recital 75 and section titled "Risk based approach to being GDPR compliant").
  • Implement appropriate technical and organisational measures to ensure data (on digital and paper files) is stored securely. The security measures your business should put in place will depend on the type of personal data you hold and the risk to your customers and employees should your security measures be compromised (Article 32).
  • Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of personal data (Articles 6 to 8).
  • Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business, that the data is accurate and kept no longer than is needed for the purpose for which it was collected (Article 5).
  • Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to, and how long you need to keep their data on file (e.g. notices on your website or signs at points of sale) (Articles 12, 13 and 14).
  • Establish whether or not the personal data you process falls under the category of special categories (sensitive) of personal data and, if it does, know what additional precautions you need to take (Article 9).
  • Decide whether you will need to retain the services of a Data Protection Officer (DPO) (Article 37).

We understand that data protection is essential to an organisation's reputation and the information in the following pages is designed to support you in conducting your business in a transparent and compliant manner. While we endeavour to keep our guidance as clear as possible, you may find our Key Terms section of value.