General Data Protection Regulation GDPR Implementation Project Plan | Requirements and Condition or Purpose | Specific Business Guidance | Template for FCA Applications and Authorised Firms

Many UK organisations processing personal data will have been obligated under the previous Data Protection Act 1998. This means that you may already have some form of program already in place

2. If you are continuing to use any existing data protection relevant documents, ensure that any reference to Data Protection Act 1998 is replaced with the GDPR & DPA18 (or your country’s relevant Data Protection Law and any guidelines)

3. If the document, system, application or online form collects personal data, ensure it is accompanied by a compliant Privacy Notice (see Privacy Notice section) and if applicable, consent request

As you have purchased our GDPR documents, you are likely to be replacing any policies & templates; however, you will likely have forms, documents & templates specific to your business type that can be revised instead of restarted

(Article 5(2))

2. Ensure that you have and continuously maintain a clear and structured set of records for all GDPR & DPA18 requirements

3.       For organisations with managerial levels, providing Management Information on a regular basis is an essential part of demonstrating compliance and also support the accountability principle

The GDPR will affect all staff and all business functions, so ensuring that everyone is aware of the changes is essential

2. Decision makers & key people must understand the changes and what is expected

3. Dependant on your size & scope, allocate the resources & budget required

4. Identify which employees handle personal data or are directly involved in, affected by data protection

5. Provide those identified above with GDPR staff training sessions as soon as possible

6. Roll out training to all other staff (in stages or in full dependant on your size)

7. Create an intranet or location where GDPR support and resources can be accessed

8. Create/revise training records for all staff and document all training sessions, support & resources

For small organisations, working through this plan, reading the policy documents and templates & referring to ICO’s extensive guidance can serve as training

(Article 37)

a) Processing is carried out by a public authority or body

b) Core activities consist of processing operations which require regular & systematic monitoring of data subjects on a large scale; or

c) consist of processing on a large scale of special category or criminal convictions personal data

2. Ensure adequate training and support is made available to the appointed person

3. Document reporting lines to and from the DPO to employees, senior management & third-parties

4. Complete the DPO Responsibilities template with the DPO/Leads details

5. Register the details of your DPO with the ICO

Even if you are not obligated to appoint a DPO, having a designated lead is useful for carrying out DPO duties & maintaining compliance with the GDPR requirements

Note: if it is not clear from the conditions whether you need to appoint a DPO, you should record your assessment determination process

Essential for documenting data flows & recommended by the ICO to assist with GDPR preparation & ongoing compliance

2. Use the Information Audit template map the personal data flowing through your organisation

3. Review all personal data sources and document in the audit which legal basis you using to process under Article 6(1) & 9(1)

4. Aim to have a separate line for each processing purpose (i.e. you collect name, address, email & DOB from customer; the name & address are for delivery; the email is opt-in marketing & the DOB for a credit check. These categories have different processing purposes and so should be on a separate line, despite being collected at same time & from same source)

Optional: You can add a column to the audit template for ‘Rights’ with details of which rights apply to each category (i.e. Employee have the right to request access, but not to erasure; those under legal obligation processing can request rectification of data, but not object to processing).

This would then give you an at-a-glance view of which data subject rights are applicable for the personal data categories you have detailed on the audit and can be reference when you receive a request.

(Article 30)

• is likely to result in a risk to data subjects
• is not occasional; or
• includes special category or criminal conviction data (Article 9(1) or 10)

2. Review existing retention periods, processor agreements, information security measures & recipients of data to obtain the necessary data

3. Complete the Processing Activities Register

4. The register should be reviewed regularly to ensure it is still accurate and up-to-date. Choose a frequency based on your size and add review date to a calendar or audit register

Controllers and processors have slightly different documentation obligations

If you are a controller and process special category or criminal conviction offence data, also complete the blue section of the register to comply with Schedule 1 of the Data Protection Act 2018

(Articles 12, 13, 14)

All controllers are required to have a Privacy Notice in place providing the GDPR information disclosures

2. Assess how many notices you need & what format they should be in*

3. Review/create a new Privacy Notice noting: –

a) Name & contact details of the controller & if applicable, their representative & DPO
b) Purposes & legal basis of the processing (& if applicable, the legitimate interests)
c) Recipients of personal data & details of transfers to third country and safeguards
d) Retention period or criteria to determine period
e) Details of data subject’s rights
f) If processing based on consent, right to withdraw consent at any time
g) Right to lodge complaint with supervisory authority
h) Whether the provision of personal data is a statutory or contractual requirement (& consequences of failure to provide data)
i) Existence of automated decision-making

4. Use the Privacy Notice template for revise/create your notice(s) & customise to suit your business

5. Ensure your notice is legible, clear & is not bundled with any other information or T&C’s

6. If relying on consent for processing data, the notice needs to be accompanied by a consent form

If you offer promotions, offers, newsletters, marketing etc as an option when obtaining personal data, you must have a clear opt-in section towards the end of the notice with unticked, opt-in boxes (see template)

If data is not obtained directly from individual, you must also specify the categories and source of personal data

(Article 7)

Where processing is based on consent, the controller can demonstrate that the data subject has consented to processing of their personal data

For direct marketing consent, it is a good idea to use ‘double opt-in’ as this ensures an extra layer of positive opt-in and serves as your date & time evidence for the consent

A withdraw consent/unsubscribe option must be included where processing is based on consent

Consent must be clear, detailed and enable a positive opt-in. It cannot be a precondition of a service and must be separate from any other matters (i.e. terms & conditions)

There is a consent template in your Privacy Notice template

1. For new customers/individuals, you need to decide whether you are relying on consent or legitimate interests for marketing: –
   a) If choosing consent, see the ‘consent’ section above with actions to take
   b) If you think that legitimate interests apply, you do not need consent to send marketing, but you do need to: –
   c) state in the Privacy Notice what those legitimate interests
   d) complete a legitimate interests’ assessment to show evidence that this basis is more appropriate than consent
   e) evidence how the organisation’s interests are balanced with the interests and rights of the individual and that no privacy risk or detriment is likely to occur through the marketing
   f) still provide an opt-out/unsubscribe feature
2. For existing customers/individuals who have previously consented to receiving marketing, see the notes section to the right

NOTE: One of the confusing part here is that if you have previously obtained consent from an individual to market to them, you cannot now switch to legitimate interests (as you gave them a consent/opt-in option and would not have stated your interests at the time the data was collected).

So, if you used obtained consent for marketing from existing customers, you need to review that consent for GDPR compliance and regain consent where applicable

(Article 24(2))

The controller must implement appropriate data protection policies to demonstrate the technical and organisational measures taken to comply with the GDPR

1. Your included Data Protection Policy already sets out your business’s approach to data protection, together with responsibilities for implementing the policy and monitoring compliance – however, you should review the content to ensure it suits your business type and requirementsSpecific review areas include: –a) Privacy by Design – add any specific measures or controls you use for encryption, pseudonymisation, data minimisation, restricted access or security controls
   b) Special Category Data – if you do not/will never process any special category/criminal data, you can reduce this section to specify that you understand the requirements, but that they do not apply to you and you will review your position and processing activities if required
   c) Records of Processing Activities – all options for this requirement are in the policy, so retain only the paragraph that applies to you (i.e. less than 250 staff, processor etc)
   d) Third-Party Processors – if you do not/will never use any external processors, you can edit this section to retain only the first paragraph (removing the content that specifies how you comply). State that you do not use any processors, but are aware of the requirements
   e) DPIA’s – this section should be customised to either include your specific DPIA processes or reference the location of the document with those procedures; or, leave the DPIA description but note if you do not ever need to complete such an assessment, detailing your processing activities as further evidence that a DPIA is not needed
   f) Automated Decision Making – this may not be applicable to many organisations, so again with this section, if it is not applicable to you, reduce the section down to an explanation of what automatic decision making is and why your processing activities/business do not do any
   g) Data Transfers – if you do not transfer any data outside the EU, you can edit this section to advise this and file the International Data Transfer Procedure in case required in the future
2. Ensure the policy is made available, and communicated to all staff
3. Have a monitoring schedule in place to review this policy (and all others) regularly to ensure it still meets your requirements and is fit for purpose*

Owing to the vast array of requirements presented in the GDPR and that not all requirements are relevant to all businesses, we have created a main Data Protection Policy and then have standalone policies/procedures for: –

• Data Retention & Erasure
• Data Breaches & Notifications
• International Data Transfers
• Subject Access Requests
• DPO Responsibilities
• Privacy Notice Template

We recommend leaving all subject rights sections in the Data Protection Policy, even if you are never required to action them (i.e. if you only process personal data based on a contract or legal obligation, withdrawing consent, restricting processing rights etc are not applicable). However, it is good practice to have procedures to action all rights as part of your policy.

* E.g. registers held by the ICO, codes of conduct, adequacy decisions etc can all change, so any reference in your document must be kept up-to-date

(Article 15)

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data about them is being processed

1.  Ensure a process is in place for individuals to request access to their personal data
2.  Use the Subject Access Request Procedures in your toolkit as your template document. Review the content and customise any areas to make it specific to your business and processes
3.  Review the provided SAR form and add your company details and DPO/person appointed to handle SAR’s
4.  When acting on a request for access, have measures in place to verify the identity of the individual (if not present)
5.  Make a copy of your SAR procedure and request form accessible to individuals (i.e. via your website, in your office/store, in email links, on written documents etc)
6.  Make sure that all personal data is accessible within the 30-day timescale
7.  Provide awareness training to all staff and specialist training to individuals who deal with any requests
8. Where the request is made by electronic means, ensure you are prepared to provide the information provided in a commonly used electronic form (unless the individual requests otherwise)

Your Data Protection Policy contains a list of the information that must be supplied to the individual – ensure that this list is available to the person responding to the requests

The SAR Procedures provided in your toolkit do not require much customisation as they cover all mandatory requirements, however you are free to alter the format and/or customise the content to suit your organisation’s requirements

The right to access personal information must be noted in your SAR Procedures and Privacy Notice (as per our templates)

(Article 16)

The data subject shall have the right to request from the controller, the rectification of inaccurate personal data

1. Your SAR Procedures & Privacy Notice templates contain guidance for your organisation and individuals on how to submit a data rectification request and how this should be processed
2. Ensure you DPO/appointed lead is aware of how to process a rectification request (as per the procedures detailed in section 8.6 of your Data Protection Policy
3. When acting on a request to rectify/complete personal data, have measures in place to verify the identity of the individual (if not present)
4. Use your Information Audit to check if the personal data category in question has been disclosed to any third-party (i.e. processors), so that they can also be notified of the rectification request and change details
5. Keep a record of any changes made to personal data (i.e. a change register, supplementing notes on file, account note etc)
6. Schedule regular reviews of all personal data and systems to meet the accuracy principle (i.e. removing out-of-date info & correct inaccurate records & update out-of-date ones)

Ensure that staff have effective reporting lines to advise of any data quality issues (i.e. are the sales team getting out of date numbers, are accounting having to recheck bank details?)

(Articles 5, 13, 14, 15 & 17)

The period for which the personal data will be stored ensuring that the period is limited to a strict minimum

Condition Based Erasure Requirement:

• The data subject shall have the right to obtain from the controller the erasure of personal data concerning them in the below instances:
• the data is no longer necessary for the purpose(s) it was collected or processed
• consent is withdrawn when processing is based on Article 6(1)(a) or 9(2)(a) & there is no other legal ground for the processing
• the data subject objects to the processing & there are no overriding legitimate grounds for the processing or processing relates to direct marketing
• the data has been unlawfully processed
• the data must be erased for compliance with a legal obligation
• the data is processed in relation to the offer of information society services to a child
• the data is processed in relation to the offer of information society services to a child

1. Review the Data Retention & Erasure Policy and Schedules to ensure that any storage periods comply with your own business requirements and industry regulations
2. Add any retention periods to the schedule for business specific documents
3. Review the disposal measures for personal data, software, hardware and records and customise to suit your actual procedures (if different)
4. Review the Erasure Procedures provided in the Data Retention & Erasure Policy and ensure that you can follow them (or customise if you carry out a different process for erasing data)
5. Provide the DPO/Lead with the conditions for erasing data as the ‘right to be forgotten’ is not an absolute right!
6. Ensure that agreements for any processor that you use contain the requirement for them to erasure data on your instruction and that they have procedures in place for this
7. Work with IT department (or for smaller firms implement a procedures) for deleting back-up systems and storage points
8. Assign responsibility for retention and disposal to an appropriate person
9. If using third-party disposal/secure waste supplier, ensure that you have an agreement with them and that you carry out due diligence to verify their services, compliance and the appropriate security measures

Legal and statutory retention schedules for the UK have been added to the Retention Schedule found in the Data Retention & Erasure Policy. However, these should be reviewed to ensure compliance with your business sector and you should also include any retention period specific to your organisation

(Article 20)

• The right to receive personal data from a controller, in a structured, commonly used and machine-readable format and to transmit that data to another controller is only required: –
• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• when processing is carried out by automated means

1. Review the procedures set out in the Data Protection Policy supplied with your Toolkit to ensure that they comply with your own processes for data portability
2. For all data that complies with this right, ensure that it is available in a commonly used and machine-readable format (i.e. CSV files)
3. Make sure that the data has sufficient protection and security measures applied based on the format used (i.e. encryptions, restricted access etc)
4. Test your process for moving or transferring the data in the specified format, easily from one organisation to another
5. Ensure that the process for data portability allows for the 30-dat timeframe (i.e. don’t have data in a non-common format and then rely on being able to reformat it on request, as this may cause unnecessary delays)

(Articles 18, 21 & 22)

The controller shall facilitate the exercise of data subject rights

Right to restrict the processing of personal data is applicable:

• Where an individual contests data accuracy, processing should be restricted until verified/corrected
• Where an individual objects to the processing (where necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual
• When processing is unlawful, and the individual opposes erasure and requests restriction instead

Individuals have the right to object to:

• processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority
• direct marketing
• processing for purposes of scientific/historical research and statistics

1. Review the data subject rights procedures for restricted processing, objection and automated decision making as pre-written in the Data Protection Policy, to ensure that they are aligned with your actual (or intended) processes
2. If you have any specific measures or steps for actioning these rights, document them in the policy
3. Ensure that the processes you have committed to can be exercised with the 30-day timeframe
4. Implement a process that will enable individuals to submit such requests to you (see section 5 of the provided SAR Procedures) (i.e. this should include online options where applicable as well as in writing)
5. Develop a process and template for informing individuals when you decide to lift a restriction on processing
6. Review your privacy notice(s) to ensure they inform individuals of their rights
7. Provide training to staff so that they are knowledgeable about the data subjects rights and when they are applicable, as well as who to report such a request to
8. Identify whether any of your processing operations constitute automated decision making
9. If applicable, make sure that individuals have access to a person to whom they can communicate, provide an opinion and obtain an explanation of the decision, and where applicable, challenge it
10. Ensure that any automated decisions do not contravene the restrictions in Article 9(2)

We have noted in the ‘Conditions’ box when you must comply with each data subject right, but for those rights that will not apply to you at any point, we still recommend retaining the procedures in the policy to demonstrate that understand each right and know why you are not obligated under it (if applicable)

For objections, you must stop processing personal data unless you can demonstrate compelling legitimate grounds for continuing, but they must override the interests, rights and freedoms of the individual. You can also continue processing if it is for the establishment, exercise or defence of legal claims

If you have disclosed the personal data to any third-party, you have an obligation to inform them of any right exercised by the data subject and to have them enforce the right where applicable

(Articles 33 & 34)

The controller shall document any personal data breaches and have data breach procedures in place. Processors’ must notify the controller immediately of any personal data breaches

However, breach notifications only required when:

The breach is likely to result in a risk to the rights and freedoms of the individual(s)

1. Review the Data Breach Policy & Procedures in your toolkit to ensure that you will be following the process documented
2. If you have any other procedures or templates relevant to breaches and specific to your business, include them in the provided document
3. Ensure that all staff are aware of the breach procedures and what constitutes a breach
4. Disseminate reporting lines for breach notification
5. Create a Breach Register to log all breaches (no matter how small) and review regularly to check for patterns or reoccurring issues/areas
6. Define a notification process for breaches that must be reported to the supervisory authority and data subject

(Articles 44-50)

1. Review the International Data Transfer Procedures provided to ensure that they follow the process you take when transferring data
2. Add any safeguards, measures and controls as applicable to your organisations (i.e. detail the countries and reasons for transfer and what measures are applicable to each – adequacy decision, binding corporate rules etc)
3. Ensure that the adequate safeguards and data security are in any written contract(s) using standard data protection contract clauses
4. Implement measures to audit any documented security arrangements on a regular basis
5. Assign the DPO/Lead with the task of monitoring the EC’s adequacy decision countries and any supervisory authority requirements for transfers

(Articles 24 & 32)

Proportionate to their nature, size & scope, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk & to demonstrate that processing is performed in accordance with the GDPR

The controller should adopt internal policies and implement measures which meet the principles of data protection by design and default

(Recital 78)

1. Processes/systems obtaining personal data (forms, online, telephone etc), should be reviewed to ensure that you are only collecting the data you need for the processing purpose (i.e. optional fields in online forms are not necessary if they are optional)
2. Aim to continually minimise the amount and type of data you process and document any audits assessing this to meet the accountability requirement
3. Review all functions and business processes to identify any risks presented by processing, including processes or systems that could result in: –

a. Accidental or unlawful destruction of personal data

b. Loss, alteration or unauthorised disclosure of personal data

c. Unauthorised access to personal data transmitted, stored or otherwise processed

1. Risks identified above should be recorded on your Risk Register and mitigating actions and operational/technical measures put into place to eliminate/reduce the risk
2. Assess the security of the personal data you process (including storage and disclosure) and document what methods you in the use in the pseudonymisation and encryption of personal data
3. Document in your policy the measures and processes for ensuring the ongoing confidentiality, integrity and availability of processing systems and services
4. Review your Business Continuity (or Disaster Recovery) Plans and ensure that you have documented how you will ensure and restore the availability and access to personal data in a timely manner in the event of a physical, operational or technical incident
5. Review the Internal Audit & Monitoring Policy & Procedures supplied with the Toolkit and use the monitoring register to document a schedule of regularly testing, assessing and evaluating the effectiveness of technical and organisational measures
6. New systems, processes, functions, services and technologies should be assessed before implementation to ensure data security, privacy by design and that you can comply with an individual’s rights under the GDPR

Guidance for assessing what measures to implement are provided on the left

The controller should adopt internal policies and implement measures which meet the principles of data protection by design and default

1. Review you existing Information Security Policies (or use the ones provided if using the Toolkit) and ensure the policy covers key information security topics such as network security, physical security, access controls, secure configuration, patch management, email and internet use, data storage and maintenance
2. Include the appropriate technical and organisational measures (mentioned in the above section) to ensure a level of security appropriate to the risk and your processing activities
3. Communicate and make available the information security policy to all staff
4. Add the policies to your Audit & Monitoring Register to ensure periodic checks for compliance with the policy and the GDPR
5. Either deliver an information security staff training session or include operational and technical measures in your Data Protection Training

(Article 35)

• systematic & extensive processing activities, and where decisions have legal effects on individuals
• large scale processing of special category or criminal convictions or offences data
• large scale, systematic monitoring of public areas (i.e. CCTV)

1. Use the screening questions provided in your DPIA procedures to assess if any of your processing activities require a DPIA
2. Any processing activities or technologies assessed as high-risk should be documented on your organisations Risk Register and should be passed through the impact assessment procedures provided
3. The steps in the DPIA are easy to follow and flow in a chronological order. Ensure that you document all stages of the assessment and retain the records for each activity
4. Where possible, put mitigating actions and measures into place to reduce the risk of the processing and then repeat the assessment until the risk is acceptable (as defined in the DPIA)
5. Where risk reduce measures are unavailable or unsuccessful and you still have a legal requirement or obligation to carry out the processing, you must contact the Supervisory Authority for a review

(Article 28(3))

Processing by a processor on behalf of a controller shall be governed by a contract or other legal act

1. Identify any third-party entities who you use to process personal data on your behalf
2. You should have a principle contract in place stating the service level agreement and terms under which your relationship is based
3. A Processor Agreement template has been provided and this (or your existing) agreement should accompany or be appended to the existing principle contract
4. The Processor Agreement must state at minimum: –

a. The subject-matter and duration of the processing

b. The nature and purpose of the processing

c. The type of personal data & categories of data subjects

d. The obligations and rights of the controller

e. That the processor:

i. cannot engage another processor without prior written authorisation from the controller
ii. processes the personal data only on documented instructions from the controller
iii. must inform the controller of any legal requirement to transfer personal data to a third country or an international organisation
iv. ensures that those processing personal data are bound by an obligation of confidentiality
v. implement appropriate technical and organisational measures to ensure a high-level of security, including but not limited to the pseudonymisation and encryption of personal data;
vi. ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner; a process for regularly testing, assessing and evaluating the effectiveness of the measures
vii. assists the controller in the fulfilment of their obligations
viii. deletes or returns all the personal data to the controller after the end of the provision of services relating to processing
ix. makes available to the controller all information necessary to demonstrate compliance with the GDPR
x. immediately informs the controller if they infringe the GDPR in anyway

5. Obtain evidence from each processor that they have the above requirements in place

These are business specific suggestions that may be suitable for many small & micro businesses. Due to your size and scope, guidance on HR departments and training your staff is often not applicable, so this guidance is tailored to those with only a few staff or sole traders.

Auditing – The accountability requirement necessitates ongoing reviews and audits on your GDPR measures and procedures. For small business, this is often time-consuming and can seem pointless as you are using the measures and procedures daily, so know they are working. The key is ‘relative to your size & scope’ – you do not need an external auditor or to spend hours walking through processes you already complete daily. Pick a specific day each month or quarter and document your audit as you go through your usual tasks. Simply check that you are still following the written procedures and that those procedures are still fit for purpose.

Security – the smaller you are, the less you probably use in terms of security for your personal data. Whilst larger firms have encryptions, firewalls, cloud storage, disaster recovery and high-tech solutions; many small businesses use just one or two safeguarding measures. Security does not have to be costly or time-consuming. Simple measures like using good anti-virus & malware applications on all PC’s and laptops, keeping personal data encrypted (using software or on removable devices), locked filing cabinets, alarms and door locks, secure passwords. Even those working from their own home can implement most of those measures to security the data they process.

Consent – if you are relying on consent for processing data, even if this is only for a small mailing list where handful of those subscribers are individuals, you will need to comply with the GDPR in full, except for the Processing Activities Register and optional assigning of a DPO. Processing under consent means that data subjects have stronger rights in areas such as objecting to processing, data portability, erasure and restricted processing. No matter how few ‘individuals’ you are handling data for, you need to have procedures for them to exercise their rights, demonstrable security measures, compliance with the principles and documented evidence that you can and are complying with the Regulation.

These are business specific suggestions that may be suitable for many medium and larger organisations, with multiple departments and bigger staff sizes.

HR – if you have many employees, you will likely have a HR function. It is important that you review all employee related documents and templates (i.e. employee handbooks, grievance procedures, appraisals, sick leave etc) and ensure that they are GDPR compliant.  Many businesses spend so much time getting data protection right for their users and customers but forget that the GDPR applies to your employees as well. You may need specific procedures and forms for them to make rights requests.

Awareness – being big can be a compliance issue in itself! You need to assess your existing reporting lines, dissemination processes and communication functions. The senior management and supervisors may seem well versed in the GDPR and what their responsibilities are, but can you evidence that this information is reaching all levels in the business? For larger offices, use wall posted Privacy Notices, download our GDPR Infographs and have them printed to A3 as reminders, set-up a GDPR intranet – there are many actions you can take to make GDPR a focal point for all employees.

Suppliers – review you list of suppliers and recheck your due diligence measures. It is not just those third-parties being as for processing activities that need to be reviewed, but any organisations with whom you have a business relationship. If you have cleaners or contractors who carry out work for you, have you address their GDPR awareness and revised any confidentiality clauses?

Visitors – larger organisations often having visitors at their offices. Procedures for visitors should be documented in your Information Security policies, but you also need to review you sign-in book, ID badge process, restricted access, bringing their own devices, bag searches and confidentiality agreement.

Website – reviewing and updating website content is part of your GDPR obligations and come areas are already covered in this plan and the Regulation (i.e. Privacy Notices, SAR Procedures). It is worth reviewing your website content, fields on contact forms, Cookie Policy, access to complaint and SAR procedures etc)