GDPR for Managers Part 1 of 5 : What it is, why it matters, and how iProtectU helps

Understand GDPR principles and rights, then put them into practice with iProtectU—training, policy control, vendor records and auditable actions.
REQUEST DEMO

What is GDPR?

GDPR (General Data Protection Regulation) governs how organisations collect, use and protect personal data. It applies to any organisation processing the personal data of EU/UK residents, wherever that organisation is based. For managers, GDPR is about doing the right thing with data—and being able to prove it.

This guide explains the core principles, the lawful bases for processing, data subject rights, and a practical compliance checklist. You’ll also see how iProtectU supports GDPR with IIRSM-approved awareness training, policy/document control, and auditable records.

GDPR sets out the rules for processing personal data—any information that can identify a person, directly or indirectly (e.g., names, emails, employee IDs, photos, location data, online identifiers). It requires organisations to be lawful, fair and transparent, to protect data with appropriate controls, and to ensure individuals can exercise their rights.

The seven GDPR principles (Overview)

  1. Lawfulness, fairness & transparency – process data legally and honestly; tell people what you do.

  2. Purpose limitation – collect data for a clear, specific purpose and don’t reuse it incompatibly.

  3. Data minimisation – only collect the minimum necessary.

  4. Accuracy – keep data correct and up to date; rectify mistakes.

  5. Storage limitation – only keep data as long as needed; define retention.

  6. Integrity & confidentiality (security) – protect data with suitable technical/organisational measures.

  7. Accountability – be able to demonstrate compliance (records, policies, DPIAs, training).

Lawful bases for processing (pick the right one)

Consent (freely given, specific, informed, unambiguous)

Contract (necessary to perform a contract)

Legal obligation (required by law)

Vital interests (to protect someone’s life)

Public task (official functions, public interest)

Legitimate interests (your organisation’s interests, balanced against individual rights)

  • Tip: choose one lawful basis per purpose and document it in your records.

Data subject rights (what people can ask for)

Access (Subject Access Request)

Rectification (fix inaccuracies)

Erasure (“right to be forgotten”)

Restriction (pause processing)

Portability (get their data in a usable format)

Objection (to certain processing, e.g., direct marketing)

Rights related to automated decision-making and profiling

  • Have procedures and deadlines in place—most responses are due within one month.

Practical GDPR checklist for managers

  • Map what personal data you hold, why, where it’s stored, and who can access it.
  • Identify the lawful basis and complete records of processing activities (RoPA).
  • Reduce risk with data minimisation, retention schedules and secure deletion.
  • Use DPIAs (Data Protection Impact Assessments) for high-risk processing.
  • Control access (least privilege), encrypt where appropriate, and train staff.
  • Have a documented breach response process and reporting lines.
  • Manage vendors/processors and check their privacy/security controls.
  • Keep policies (privacy, retention, incident response) published and version-controlled.

How iProtectU helps with GDPR

IIRSM-approved GDPR awareness training – assign to staff/managers, track completion, and schedule refreshers.

Policy & document management – publish privacy notices, retention schedules and procedures; version control ensures a full audit trail.

Vendor/processor records – store contracts, data processing agreements and due-diligence checks.

DPIAs & risk logs – consistent templates, actions and reviews to manage high-risk processing.

Tasking & reminders – owners, due dates and renewals for RoPA, DPIAs, policy updates and vendor checks.

Dashboards & reporting – real-time view of training, policy acceptance, actions and expiries for audit readiness.

Combine training + policy management in one platform and you’ll close the loop from awareness to evidence.

GDPR FAQs

OurFAQs guides enable you to make informed decisions about how our health and safety software can benefit your organisation.

For anything else please request a demo, call or send us an email.

REQUEST DEMO

The UK applies the UK GDPR alongside the Data Protection Act 2018; it mirrors GDPR principles closely. If you operate across regions, design for the higher standard.

No. Consent is one of six lawful bases. For many HR or service-delivery activities, contract or legitimate interests may be more appropriate—document your choice.

A Data Protection Impact Assessment evaluates high-risk processing (e.g., large-scale monitoring, special category data). It documents risks and the measures you’ll put in place.

If a personal data breach is likely to risk people’s rights/freedoms, report to the supervisory authority within 72 hours and inform affected individuals when required.

Yes—book a free demo and we’ll tailor a walkthrough to your industry, data and processes so you can see how iProtectU fits your organisation.

Share on social media

Please follow us or subscribe to our social media channels. 

Twitter
Facebook
YouTube
YouTube
LinkedIn
LinkedIn
Share
Instagram
RSS
Follow by Email
Copy link
URL has been copied successfully!

Latest Updates & Information

The future of Health and Safety software – today! Leaders in EHS Software, GRC Software, safety, risk, governance and compliance software
MORE NEWS AND INFORMATION

Arrange your demonstration

Let us show you how we can transform your health and safety, risk and compliance management

Please choose a date and time for your demo. We look forward to meeting with you.

error

Please follow us or subscribe

Transform your safety and compliance management

BOOK A DEMO

Search for your EHS Module