GDPR compliance - without the jargon

All businesses in Scotland need to comply with the GDPR. It can sound complicated, but it doesn’t have to be.

Plain English Law is a Dundee law firm with international qualifications in business law and data privacy law.

Talk to us about our GDPR compliance services, including data mapping, risk mitigation, and DPO-as-a-service.


You don’t speak legalese. Neither do we.

Plain English Law is your Dundee-based business law and GDPR compliance partner. Our services include:

+ - Data Mapping

Typically the first step to compliance, we'll help you identify and record:


  • what personal data you hold
  • who it's about
  • where you get it from
  • why you collect it and how you use it
  • your legal basis for processing (e.g. consent, legitimate interest, etc)
  • where you store it
  • how you keep it safe
  • who has access to it


This information is used to create a record of personal data you use, such as required by GDPR Article 30.

+ - Data Protection Impact Analysis

Some uses of personal data are risky and require a documented, formal data protection impact assessment (DPIA).

We can support you and your staff to:

  • identify when a DPIA is required
  • conduct a DPIA only if required
  • document the process
+ - Gap Analysis

Nobody's perfect. Most businesses have some data handling processes that don't comply with privacy laws.

A structured gap analysis can identify and close these compliance gaps.

This is most easily done along with data mapping. As we find issues, we help you develop solutions that work with your business, and create a record of the process.

+ - Plain English privacy documentation

Most privacy laws require you to be transparent. You must tell people what data you have about them and what you are doing with it.

It's harder than it looks. Too much detail can make your privacy notice hard to understand. Customers don’t like that, and neither do privacy regulators.

Let us help you strike the right balance with plainly written, concise, legally compliant privacy notices.​

+ - Data breach response

Mistakes happen. Defences can be breached.

What do you do if personal data is stolen or leaked? Your response to the breach can be just as important as preventing it in the first place. And you'll have little time to weigh your options.

We can help you to:

  • develop a breach response plan so you are ready to act
  • decide if you need to inform the authorities, other data controllers, or data subjects about a breach
+ - Data subject rights

Most data protection laws, including GDPR and PIPEDA, give individuals a series of rights:

  • access to data about them
  • rectification (you must correct inaccurate data)
  • deletion or erasure of data
  • objection to processing

Responding to a data subject can be complicated. Deadlines are tight, and your response must respect the legal rights of others. Increasingly, employees request to access information about dismissals and redundancy processes.

We can help you to:

  • develop your process for managing requests
  • craft your responses
  • determine when you can (or should) refuse a request
+ - DPO as a Service

The GDPR requires some organisations to appoint a Data Protection Officer (DPO). Others may choose to appoint one without being required.

The DPO is an independent advisor reporting to the highest levels of management. DPOs monitor compliance and advise on privacy operations, such as DPIAs and maintaining records of processing activities. They also liaise directly with the data protection supervisor, such as the UK's Information Commissioner, on privacy matters and mandatory consultations.

The GDPR requires all DPOs to have expert knowledge of data protection law and practice. Plain English Law can provide an expert DPO, qualified as both a solicitor and as a IAPP-accredited CIPP/E (Certified Information Privacy Professional/Europe).

+ - UK Data Protection Representative

Some companies outside the UK need to comply with the UK’s GDPR. That can include appointing a UK-based GDPR Representative if you have no "establishment" in the UK.

Wherever you are in the world, you must comply with the UK GDPR to:

  • sell to individuals in the UK,
  • use tracking cookies on a website accessible from the UK, or
  • process UK personal data on behalf of a business customer.

Best of all, we work in plain English.

Book a free 30-minute consultation in plain English.

Frequently Asked Questions

+ - What is data mapping?
Data mapping is another term for a personal data audit or information audit. It’s how you create your organisation’s record of processing activities, which is required by article 30 of the GDPR.
We can help you plan your data mapping process, complete your record of processing activities, and develop systems to keep it up to date.
+ - How do you build a data map?
Building a data map isn’t hard, but it can be a lot of work the first time you do it.
Data mapping involves looking at the personal data used by every team and function across your organisation. There’s no set method, but we find it helpful to start by having the team list the tasks that make up their jobs. Then we ask how they do those tasks: what systems they use, and what information they access or enter into those systems.
You record your findings in the record of processing activities (ROPA).
+ - What is a record of processing activity (ROPA)?
One of the new things the GDPR brought to privacy law is accountability: to comply with the GDPR you must be able to demonstrate that you comply with the GDPR.
An up-to-date record of processing activities is the cornerstone of GDPR compliance. It shows your organisation is on top of its data privacy responsibilities.
To build a good record of processing activities (ROPA), you take stock of your personal data and document:
  • What kinds of personal data you are using
  • Who the data’s about (the “data subjects”)
  • Where you got it
  • Why you have it
  • Your legal basis under the GDPR for using it
  • Who all the controllers are 
  • Whether you are a controller or a processor
  • How you track consents and objections to processing
  • Where you store the data and how you keep it safe
  • How long you keep it
  • Who you share it with and why
  • Who is processing the data on your behalf
  • What data processing agreements you have with external processors
Article 30 of the GDPR sets out the legally required minimum content of any ROPA.  
The UK’s Information Commissioner’s Office provides helpful starting points with their free templates:   
For controllers: record of processing activities template (Excel spreadsheet)
For processors: record of processing activities template (Excel spreadsheet)
+ - I’ve completed my record of processing activities – am I done?
Nope. It’s an ongoing task to keep the ROPA accurate and up to date. Every time you start using a new system or app, ask yourself:
  • What are we going to use this app for? Why do we need it?
  • What information will we put into the app? Is any of it personal data?
  • Is this app going to generate new data?
Then look at your ROPA. Is this use of personal data already covered? What about the new app, and the app vendor?
+ - Data mapping sounds like an expensive box-ticking exercise – what’s the point?
This is a good question. Complex and bureaucratic processes are frustrating and expensive. Usually they add little value to the organisation.
The GDPR? It’s far from perfect, but there is a certain amount of method to this madness.
Data mapping forces us all to confront the masses of personal data we collect and ask a few important questions. Why do I have this data? Are my purposes legal and legitimate? Do I even need this data to accomplish those goals?
Storage has become so cheap that most of us stopped worrying about running out of space years ago. Nobody has to clean out old data to make space anymore. That’s far more expensive than just buying more cheap storage space.
We don’t even need to manage the storage ourselves. With cloud computing, our mess is kept in someone else’s data centre. So we keep accumulating data of all kinds, often without keeping it organised or up to date.
The GDPR forces you to stop doing that. When you map your data, you are surveying the mess. Then you can make a plan to clean it up without throwing away the data you still need.
+ - Does the GDPR still apply after Brexit?
The UK’s Data Protection Act 2018 brought the GDPR into UK law. This new “UK GDPR” is almost identical to the EU GDPR.
For most UK organisations, GDPR compliance is the same after Brexit as it was before Brexit. However, there’s an important change if you sell to consumers in the EU: you might need to appoint an EU GDPR Representative if you don’t have a location in the EU.
+ - How has Brexit changed GDPR compliance?
For many organisations, almost nothing has changed, except:
  1. If you are an EU / EEA business selling to the UK, you may need to appoint a UK GDPR Representative.
  2. If you are a UK business selling to the EU / EEA, you may need to appoint an EU / EEA GDPR Representative
+ - Is GDPR compliance different for B2B versus B2C businesses?
The GDPR applies to all personal data you use in your business. This includes data about your B2B business contacts, such as the employees of your suppliers and customers.
However, some rules can apply differently when you are using consumer data compared to business data.
For example, most businesses use "legitimate interest” as the legal basis for keeping a marketing database with individual contact details. Whenever you rely on legitimate interest, you must balance the benefits of what you are doing against the impact it has on the data subject (the person whose data you are using).
B2C data use can be more challenging to justify than B2B data use. Normally, using someone's work address and phone number is less intrusive than using their home address and phone number.


+ - Does every business need a Data Protection Officer?
Public authorities normally require a DPO, but only some private businesses will require a DPO.
A business must appoint a DPO if it does one of the following as part of its “core activities”:
  1. large scale, regular and systematic monitoring of individuals (examples: online behaviour tracking, CCTV)
  2. large scale processing of “special categories” of data (see GDPR Article 9) or data relating to criminal convictions and offences (see GDPR Article 10
As a result, private companies often don’t require a DPO. However, they can appoint one voluntarily.
+ - We are outside the UK. Do we need a UK GDPR Representative?
You must appoint a representative located in the UK if all of these are true:
  1. You are outside the UK.
  2. You don’t have a UK office, branch, or other establishment.
  3. You are subject to the UK GDPR anyway because you:
  • offer goods or services to consumers in the UK; or
  • monitor behaviour of individuals in the UK.
When the UK was part of the EU, these rules did not apply to organisations in the EU or the wider EEA. With Brexit complete, EU and EEA companies must now appoint a UK-based representative.
+ - We are in the UK. Do we need an EU GDPR Representative?
Before Brexit, UK organisations did not need to appoint any EU or EEA representatives. With the UK outside the EU, that’s now changed.
If you are a UK organisation, you must appoint a representative located in an EU or EEA country if all of these are true:
  1. You don’t have an office, branch, or other establishment in the EU / EEA.
  2. You are subject to the EU GDPR anyway because you:
  • offer goods or services to consumers in the EU / EEA; or
  • monitor behaviour of individuals in the EU / EEA.

Book a free 30-minute consultation in plain English.

Back to top