Taking organisations from awareness to demonstrable compliance

All organisations that handle personally identifiable data of EU citizens need to prepare and execute a plan to become General Data Protection Regulation (GDPR) compliant. To help you, Arrk has developed a five-stage compliance programme which takes organisations from the earliest stages of GDPR awareness and understanding to becoming fully compliant.

Fines and reputational damage are the big sticks, but there’s plenty of carrot too…

You’ve no doubt read about the size of the fines for non-compliance and data breaches, but GDPR should not be seen as a harmful regulation, there are significant business benefits to be unlocked, using GDPR as the vector to improve data handling, enhance customer analysis and insight, refine governance, security and processes. To go beyond a 360 customer view and develop a win-win relationship which is longer lasting, deeper and more trusting.


Taking organisations from awareness to demonstrable compliance
Find out more..


Informative and engaging learning sessions for your organisation’s key GDPR influencers. Here they will learn everything they need to know in a digestible format with your organisation as the key context. Expect deep dives, role play and presentations.

  • Workshop based
  • Presentations
  • Role playing
  • ‘Live’ deep dives
  • High level understanding
  • Roles and responsibilities
  • Provide support for, and evangelise GDPR in your organisation
  • An indication of what areas of the organisation may be impacted
  • Senior executive team
  • Data Protection Officer
  • Risk, legal and compliance team(s)
  • Representation from across the business
  • 2-3 Days



A formal assessment of your current compliance level against GDPR regulations. This allows our consultants and your team to gain a clear, big-picture view of your existing data structures. We discover how and why this data is being used and the impact of GDPR on your structures and processes.

  • Define supervising authority, skills and roles, agree need for DPO
  • Perform Data-Driven assessments
  • Legacy IT, Shadow IT
  • Workshops with back-end teams
  • Templates and documents
  • Demonstrates current areas of compliance
  • A detailed understanding of data usage within the business
  • Data Privacy Impact Assessments
  • A risk register
  • A health check of existing preparations
  • Promotes visibility
  • Recommendations for data handling processes and structure enhancements
  • Not just IT
  • Risk, Compliance, Legal team(s)
  • Business stakeholders
  • 1-4 Weeks


Driven by our understanding of your existing structures we collaborate on a detailed roadmap and action plan to ensure your GDPR compliance path has clear and achievable milestones.

  • We shape a plan around capability and priority, balancing tactical need with strategic aspirations
  • Define a security, disaster recovery and data governance framework
  • How rights are handled
  • Changes to software and business processes
  • Incident management and breach framework (Arrk’s PD3R)
  • A clear, detailed and prioritised plan towards compliance
  • Activities across all the business
  • Roles and responsibilities steering group
  • Impacted business units identified during stage 1 + 2
  • 1-2 Weeks


Prior to May 2018 you have an agreed roadmap and are actively working towards compliance. The ability to show a compliance roadmap is crucial, even if the Implement stage goes beyond May 2018.

  • Implement the plan with a ‘go live’ of May
  • Some steps must be implemented well before
  • May (e.g. consent, Binding Corporate Rules) Governance and reporting
  • Update our Data Privacy Impact Assessments
  • Introduce ‘Privacy by Design’ into all projects
  • Training and certification
  • Demonstrable compliance
  • A path to compliance
  •  IT team(s)
  • Impacted business units
  • Impacted third parties i.e. data processors
  • 3-18 Months (depending on complexity + size of organisation)


Using Arrk’s Incident Management and Breach Reporting Framework (PD3R) you will have everything you need to ensure that all data handling processes are monitored to ensure compliance at all stages and encourage a culture of reporting potential breaches.

  • Review enforcement, fines and compensation
  • Review impact of guidance and codes of conduct
  • Assistance with breaches and reporting using Arrk’s PD3R framework
  • Manage impact of rights
  • Trigger training and certification
  • Continuous compliance
  • Compliant breaches and reporting
  • Sight of future regulatory change
  •  IT team(s)
  • Impacted business units
  • Ongoing