Helping you
Centralise your 
ata
governance
Sign up
MANAGE ALL DATA INCIDENTS/BREACHES
YourDataSafe™ promotes a culture of data protection by allowing your entire team access to report incidents, no matter how minor. This culture will give you an accurate picture of data handling and process within your organisation. It will also show great accountability to data governance. Report ~ Assess ~ Manage ~ Learn, easy with YDS
YOUR DPIA CENTRAL DATABASE
YourDataSafe™ has built a step-by-step approach to help you build DPIA’s within your organisation and make them a central part of your data governance structure. The process is designed with the principle of ‘By Design and By Default’ in mind. Each step will ease the author through the process, explaining the requirements. Step 4 calculates the requirements of a full DPIA or if they can go straight to DPO sign-off, it is that simple to use.
YOUR DPIA CENTRAL DATABASE
YourDataSafe™ has built a step-by-step approach to help you build DPIA’s within your organisation and make them a central part of your data governance structure. The process is designed with the principle of ‘By Design and By Default’ in mind. Each step will ease the author through the process, explaining the requirements. Step 4 calculates the requirements of a full DPIA or if they can go straight to DPO sign-off, it is that simple to use.
Your one-stop data governance tool! It's everything you need to manage your compliance.
No additionalsoftware required
YourDataSafe™ eliminates the need for extra software, saving costs and simplifying operations. It offers accessibility from any device, streamlines collaboration, provides automatic updates, and ensures scalability. Ultimately, it boosts efficiency and enhances a culture of data protection.
Cost effectiveSolution
Eliminate the need for expensive software licenses, hardware investments and offering unlimited access for employees. YourDataSafe™ allows incidents and data rights requests to be reported directly by the employee to the YourDataSafe™ platform, immediately notifying the data governance team.
Saving yourCompany time
YourDataSafe™ streamlines logging and data incident reporting by allowing your entire team access to enable quick and easy reporting. This will save your organisation time and allow you to deal with the request quickly and efficiently.
Try our plancalculator
Our calculator will give you a good idea of the annual cost of YourDataSafe™ for your organisation. This calculator also saves you time when completing the onboarding form if you decide to go ahead with a YourDataSafe™ account.
* Please note that the subscription calculator is provided for informational purposes only. The results obtained should not be considered financial advice. We recommend consulting with a qualified professional for personalized financial guidance and decision-making.
YOUR PLAN
£Per Annum
**Paying an annual license fee for the best data governance platform offers numerous benefits. It ensures top-notch data protection compliance management, minimizes risks, simplifies processes, provides ongoing support, and updates, and leverages the convenience of a web-based platform for seamless accessibility. **
This Includes
Plan Details
Upgrades to your plan are available for you to get bespoke policies and procedures, template letters, processor agreements and much more.
User Friendly
YourDatSafe provides a user-friendly experience, simplifies DPIA management and gives us an easy, one-stop-solution to manage risk, maintain clear records, and ensure compliance - we love it!
Highly Valuable Tool
YDS has proven a highly valuable tool in ensuring accurate record keeping and monitoring of data protection risk in our business, greatly improving our compliance monitoring and control environment.
Data Governance Made Easy
YourDataSafe has made the management of out client data governance so easy. As Outsourced DPO’s and Managers it has made everything seamless. I cannot recommend this system enough.
Easy to Use
YourDataSafe has revolutionised the way we mange our compliance and data protection - it does all the heavy lifting for us and means we can focus on our core business knowing we're covered.
User Friendly
YourDatSafe provides a user-friendly experience, simplifies DPIA management and gives us an easy, one-stop-solution to manage risk, maintain clear records, and ensure compliance - we love it!
Highly Valuable Tool
YDS has proven a highly valuable tool in ensuring accurate record keeping and monitoring of data protection risk in our business, greatly improving our compliance monitoring and control environment.
Data Governance Made Easy
YourDataSafe has made the management of out client data governance so easy. As Outsourced DPO’s and Managers it has made everything seamless. I cannot recommend this system enough.
Easy to Use
YourDataSafe has revolutionised the way we mange our compliance and data protection - it does all the heavy lifting for us and means we can focus on our core business knowing we're covered.
Frequently asked questions
A data governance system is crucial for several reasons. It helps ensure data quality, accuracy, and consistency, mitigates risks of data breaches, ensures compliance with regulations, facilitates effective data management, enhances decision-making based on reliable data, and supports overall organizational efficiency and trustworthiness.
A Data Inventory or a Record of Processing Activities (“ROPA”), is a document that organizations maintain to comply with the requirements of the General Data Protection Regulation (“GDPR”), which is a data protection law in the European Union (EU). The GDPR mandates that data controllers and data processors maintain a record of their data processing activities.
The requirement to maintain a data inventory or ROPA is outlined in Article 30 of the GDPR. Article 30 specifically addresses the documentation obligations of data controllers and data processors. It states that organizations must maintain a record of their processing activities.
Article 30 of the GDPR states that the record should include various details about the processing activities, such as the purposes of the processing, categories of data subjects, categories of personal data, recipients of the data, and any international transfers. The record should also include information about data retention periods, security measures, and the legal basis for processing.
Furthermore, Article 30 mandates that the record should be in writing, including in electronic form, and made available to the supervisory authorities upon request.
So, organizations comply with Article 30 of the GDPR when they create and maintain a comprehensive and up-to-date data inventory or ROPA.
Under the General Data Protection Regulation (“GDPR”), there is a legal requirement for organizations to log and document data incidents, which are commonly referred to as data breaches. The specific obligations related to logging data incidents are outlined in Article 33 and Article 34 of the GDPR.
Article 33 - Notification of a personal data breach to the supervisory authority:
According to Article 33, in the event of a personal data breach, the data controller is required to notify the relevant supervisory authority without undue delay, and where feasible, within 72 hours after becoming aware of the breach. The notification should include specific details about the nature of the breach, the categories of affected individuals, the approximate number of affected individuals, and the potential consequences of the breach.
Article 34 - Communication of a personal data breach to the data subject:
Article 34 states that if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller is obligated to communicate the breach to the affected individuals without undue delay. The communication should describe the nature of the breach, provide recommendations for individuals to mitigate potential adverse effects, and inform them about the steps taken to address the breach.
In addition to these requirements, organizations are encouraged to maintain internal records of all data breaches, including the date and time of the incident, a description of the breach, the categories and approximate number of affected individuals, and the actions taken to mitigate and address the breach. These records help demonstrate compliance with the GDPR and can be requested by supervisory authorities during investigations or audits.
It's important to note that data incidents should be logged regardless of whether they meet the threshold for mandatory notification to supervisory authorities or data subjects. Timely and accurate logging of data incidents is crucial for effective incident response, accountability, and demonstrating compliance with data protection regulations.
Under the General Data Protection Regulation (GDPR), organizations have legal obligations to respond to data subject requests to enforce their rights. The specific requirements regarding data subject rights and their exercise are outlined in Articles 12 to 23 of the GDPR. Here are the key aspects related to responding to data subject requests:
Right to be Informed (Article 13 and Article 14):
Data controllers are required to provide individuals with clear, transparent, and easily understandable information about the processing of their personal data. This includes informing them about the purposes of the processing, the legal basis, retention periods, and the rights they can exercise.
Right of Access (Article 15):
Data subjects have the right to obtain confirmation from the data controller whether or not their personal data is being processed and, if so, access to that data. The organization must provide a copy of the requested personal data along with relevant details about the processing activities.
Right to Rectification (Article 16):
If the personal data held by the organization is inaccurate or incomplete, data subjects have the right to request its rectification or completion. The organization must respond to such requests and make the necessary corrections or updates to the data.
Right to Erasure (Right to be Forgotten) (Article 17):
Data subjects have the right to request the erasure of their personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected, when consent is withdrawn, or when there are legitimate objections to the processing. The organization must assess the request and delete the data unless there are legal grounds for retaining it.
Right to Restriction of Processing (Article 18):
Data subjects can request the restriction of processing in specific situations, such as when the accuracy of the data is contested or when the processing is unlawful. The organization must limit the processing of the data while the request is being assessed.
Right to Data Portability (Article 20):
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller. The organization must provide the data in a suitable format upon request.
Right to Object (Article 21):
Data subjects can object to the processing of their personal data for specific purposes, such as direct marketing or legitimate interests. The organization must cease processing the data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.
To comply with these requirements, organizations must establish processes and procedures for handling data subject requests, including providing clear mechanisms for individuals to exercise their rights, verifying the identity of the data subject making the request, and responding within the designated timeframes set by the GDPR (generally within one month, with possible extensions in certain cases).
Yes, it is highly recommended for organizations to keep a log of all the data subject requests they receive and their corresponding responses. Maintaining a record of requests helps demonstrate accountability, transparency, and compliance with the General Data Protection Regulation (GDPR). Here are a few reasons why keeping a log is beneficial:
Compliance: By documenting data subject requests and responses, you can demonstrate that your organization is fulfilling its obligations under the GDPR. In the event of an audit or inquiry by a supervisory authority, having a comprehensive log will showcase your commitment to data protection and facilitate the review process.
Timeliness: The GDPR requires organizations to respond to data subject requests promptly. Keeping a log enables you to track the receipt of requests, monitor response times, and ensure that you meet the required deadlines.
Efficiency: A log helps streamline your internal processes by providing a centralized repository of requests. This allows you to efficiently assign, track, and manage requests, ensuring that they are handled in a consistent and timely manner.
Documentation: Having a well-maintained log serves as valuable documentation that can support your decision-making process and actions. It provides a historical record of interactions with data subjects, including the steps taken to address their requests, which can be useful for internal reference or future reference if any disputes arise.
Analysis and Improvement: By analysing the types and frequency of data subject requests, you can gain insights into trends, areas of concern, or potential areas for improvement. This information can help enhance your data protection practices and guide your organization's compliance efforts.
The cost of data protection compliance in the UK can vary significantly depending on factors such as the size and nature of the organization, the industry sector, the existing data protection framework in place, and the specific compliance requirements to be met. Costs may include expenses related to staff training, implementing technical and organizational measures, conducting audits and assessments, legal and consulting services, and ongoing compliance monitoring. It is advisable to consult with legal and compliance professionals or conduct a thorough analysis within your organization to determine the average cost of data protection compliance specific to your circumstances.
Non-compliance with data protection laws in the UK can result in significant financial penalties. Under the General Data Protection Regulation (GDPR), fines for severe violations can be up to €20 million or 4% of global annual turnover, whichever is higher. For less severe infringements, fines can be up to €10 million or 2% of global annual turnover, whichever is higher. However, it is important to note that the actual fines imposed may vary depending on the specific circumstances of the violation. Additionally, non-compliance can also lead to reputational damage, loss of customer trust, and potential legal costs associated with lawsuits or compensation claims. It is crucial for organizations to prioritize data protection compliance to mitigate the risks and potential financial consequences of non-compliance.
That will depend on the size of your organisation and the license you have purchased. If you have between 6 - 14 staff, you pay an annual fee of £1,000.
Up to 14 staff members can have access to YourDataSafe™. That is £1.37 per employee, per week to demonstrate your organisation compliance with the data protection law in your jurisdiction.
YourDataSafe™ wants to encourage a culture of data protection within an organisation, so every employee should have access to the system, as any staff member can be approached by a member of the public and given a subject access request. Any member of staff handling data can cause a data incident or breach, so should be able to start the incident/breach log.
A Data Protection Impact Assessment (DPIA) is a systematic assessment that organizations are required to conduct under certain circumstances, as mandated by the General Data Protection Regulation (GDPR). The primary purpose of a DPIA is to identify and mitigate potential risks associated with processing personal data, thereby ensuring compliance with data protection principles and safeguarding individuals' rights and freedoms. Here are a few key reasons why organizations are required to conduct a DPIA:
Compliance with the GDPR: Conducting a DPIA is a legal requirement under the GDPR for processing activities that are likely to result in a high risk to individuals' rights and freedoms. The GDPR specifically mandates a DPIA in cases such as systematic and extensive profiling, large-scale processing of sensitive data, and systematic monitoring of publicly accessible areas on a large scale.
Identifying and assessing risks: A DPIA helps organizations identify and evaluate the potential risks and impacts that their data processing activities may have on individuals' privacy rights and freedoms. By conducting a thorough assessment, organizations can proactively identify and address any privacy-related risks before they occur.
Privacy by Design and Default: The GDPR promotes the concept of Privacy by Design and Default, which means integrating privacy considerations into the design of systems, processes, and products from the outset. A DPIA is an essential tool for implementing this principle, as it helps organizations assess privacy risks and implement necessary measures to mitigate them during the early stages of a project or process.
Demonstrating accountability: Conducting a DPIA demonstrates an organization's commitment to accountability and responsible data processing. By conducting and documenting the DPIA process, organizations can provide evidence of their compliance efforts and demonstrate that they have considered the potential risks and taken appropriate measures to protect individuals' data.
Engaging stakeholders: DPIAs involve engaging relevant stakeholders, such as data protection officers, project managers, and individuals whose data is being processed. It encourages organizations to involve these stakeholders in the decision-making process, promoting transparency, and ensuring that privacy considerations are taken into account.
Overall, a DPIA is a crucial tool to ensure that organizations are processing personal data in a responsible and compliant manner. It helps organizations understand and mitigate privacy risks, adhere to legal requirements, and protect individuals' rights and freedoms. Conducting a DPIA is an important step in fostering a privacy-conscious culture within an organization and demonstrating a commitment to data protection.
A data governance system is crucial for several reasons. It helps ensure data quality, accuracy, and consistency, mitigates risks of data breaches, ensures compliance with regulations, facilitates effective data management, enhances decision-making based on reliable data, and supports overall organizational efficiency and trustworthiness.
A Data Inventory or a Record of Processing Activities (“ROPA”), is a document that organizations maintain to comply with the requirements of the General Data Protection Regulation (“GDPR”), which is a data protection law in the European Union (EU). The GDPR mandates that data controllers and data processors maintain a record of their data processing activities.
The requirement to maintain a data inventory or ROPA is outlined in Article 30 of the GDPR. Article 30 specifically addresses the documentation obligations of data controllers and data processors. It states that organizations must maintain a record of their processing activities.
Article 30 of the GDPR states that the record should include various details about the processing activities, such as the purposes of the processing, categories of data subjects, categories of personal data, recipients of the data, and any international transfers. The record should also include information about data retention periods, security measures, and the legal basis for processing.
Furthermore, Article 30 mandates that the record should be in writing, including in electronic form, and made available to the supervisory authorities upon request.
So, organizations comply with Article 30 of the GDPR when they create and maintain a comprehensive and up-to-date data inventory or ROPA.
Under the General Data Protection Regulation (“GDPR”), there is a legal requirement for organizations to log and document data incidents, which are commonly referred to as data breaches. The specific obligations related to logging data incidents are outlined in Article 33 and Article 34 of the GDPR.
Article 33 - Notification of a personal data breach to the supervisory authority:
According to Article 33, in the event of a personal data breach, the data controller is required to notify the relevant supervisory authority without undue delay, and where feasible, within 72 hours after becoming aware of the breach. The notification should include specific details about the nature of the breach, the categories of affected individuals, the approximate number of affected individuals, and the potential consequences of the breach.
Article 34 - Communication of a personal data breach to the data subject:
Article 34 states that if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller is obligated to communicate the breach to the affected individuals without undue delay. The communication should describe the nature of the breach, provide recommendations for individuals to mitigate potential adverse effects, and inform them about the steps taken to address the breach.
In addition to these requirements, organizations are encouraged to maintain internal records of all data breaches, including the date and time of the incident, a description of the breach, the categories and approximate number of affected individuals, and the actions taken to mitigate and address the breach. These records help demonstrate compliance with the GDPR and can be requested by supervisory authorities during investigations or audits.
It's important to note that data incidents should be logged regardless of whether they meet the threshold for mandatory notification to supervisory authorities or data subjects. Timely and accurate logging of data incidents is crucial for effective incident response, accountability, and demonstrating compliance with data protection regulations.
Under the General Data Protection Regulation (GDPR), organizations have legal obligations to respond to data subject requests to enforce their rights. The specific requirements regarding data subject rights and their exercise are outlined in Articles 12 to 23 of the GDPR. Here are the key aspects related to responding to data subject requests:
Right to be Informed (Article 13 and Article 14):
Data controllers are required to provide individuals with clear, transparent, and easily understandable information about the processing of their personal data. This includes informing them about the purposes of the processing, the legal basis, retention periods, and the rights they can exercise.
Right of Access (Article 15):
Data subjects have the right to obtain confirmation from the data controller whether or not their personal data is being processed and, if so, access to that data. The organization must provide a copy of the requested personal data along with relevant details about the processing activities.
Right to Rectification (Article 16):
If the personal data held by the organization is inaccurate or incomplete, data subjects have the right to request its rectification or completion. The organization must respond to such requests and make the necessary corrections or updates to the data.
Right to Erasure (Right to be Forgotten) (Article 17):
Data subjects have the right to request the erasure of their personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected, when consent is withdrawn, or when there are legitimate objections to the processing. The organization must assess the request and delete the data unless there are legal grounds for retaining it.
Right to Restriction of Processing (Article 18):
Data subjects can request the restriction of processing in specific situations, such as when the accuracy of the data is contested or when the processing is unlawful. The organization must limit the processing of the data while the request is being assessed.
Right to Data Portability (Article 20):
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller. The organization must provide the data in a suitable format upon request.
Right to Object (Article 21):
Data subjects can object to the processing of their personal data for specific purposes, such as direct marketing or legitimate interests. The organization must cease processing the data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.
To comply with these requirements, organizations must establish processes and procedures for handling data subject requests, including providing clear mechanisms for individuals to exercise their rights, verifying the identity of the data subject making the request, and responding within the designated timeframes set by the GDPR (generally within one month, with possible extensions in certain cases).
Yes, it is highly recommended for organizations to keep a log of all the data subject requests they receive and their corresponding responses. Maintaining a record of requests helps demonstrate accountability, transparency, and compliance with the General Data Protection Regulation (GDPR). Here are a few reasons why keeping a log is beneficial:
Compliance: By documenting data subject requests and responses, you can demonstrate that your organization is fulfilling its obligations under the GDPR. In the event of an audit or inquiry by a supervisory authority, having a comprehensive log will showcase your commitment to data protection and facilitate the review process.
Timeliness: The GDPR requires organizations to respond to data subject requests promptly. Keeping a log enables you to track the receipt of requests, monitor response times, and ensure that you meet the required deadlines.
Efficiency: A log helps streamline your internal processes by providing a centralized repository of requests. This allows you to efficiently assign, track, and manage requests, ensuring that they are handled in a consistent and timely manner.
Documentation: Having a well-maintained log serves as valuable documentation that can support your decision-making process and actions. It provides a historical record of interactions with data subjects, including the steps taken to address their requests, which can be useful for internal reference or future reference if any disputes arise.
Analysis and Improvement: By analysing the types and frequency of data subject requests, you can gain insights into trends, areas of concern, or potential areas for improvement. This information can help enhance your data protection practices and guide your organization's compliance efforts.
The cost of data protection compliance in the UK can vary significantly depending on factors such as the size and nature of the organization, the industry sector, the existing data protection framework in place, and the specific compliance requirements to be met. Costs may include expenses related to staff training, implementing technical and organizational measures, conducting audits and assessments, legal and consulting services, and ongoing compliance monitoring. It is advisable to consult with legal and compliance professionals or conduct a thorough analysis within your organization to determine the average cost of data protection compliance specific to your circumstances.
Non-compliance with data protection laws in the UK can result in significant financial penalties. Under the General Data Protection Regulation (GDPR), fines for severe violations can be up to €20 million or 4% of global annual turnover, whichever is higher. For less severe infringements, fines can be up to €10 million or 2% of global annual turnover, whichever is higher. However, it is important to note that the actual fines imposed may vary depending on the specific circumstances of the violation. Additionally, non-compliance can also lead to reputational damage, loss of customer trust, and potential legal costs associated with lawsuits or compensation claims. It is crucial for organizations to prioritize data protection compliance to mitigate the risks and potential financial consequences of non-compliance.
That will depend on the size of your organisation and the license you have purchased. If you have between 6 - 14 staff, you pay an annual fee of £1,000.
Up to 14 staff members can have access to YourDataSafe™. That is £1.37 per employee, per week to demonstrate your organisation compliance with the data protection law in your jurisdiction.
YourDataSafe™ wants to encourage a culture of data protection within an organisation, so every employee should have access to the system, as any staff member can be approached by a member of the public and given a subject access request. Any member of staff handling data can cause a data incident or breach, so should be able to start the incident/breach log.
A Data Protection Impact Assessment (DPIA) is a systematic assessment that organizations are required to conduct under certain circumstances, as mandated by the General Data Protection Regulation (GDPR). The primary purpose of a DPIA is to identify and mitigate potential risks associated with processing personal data, thereby ensuring compliance with data protection principles and safeguarding individuals' rights and freedoms. Here are a few key reasons why organizations are required to conduct a DPIA:
Compliance with the GDPR: Conducting a DPIA is a legal requirement under the GDPR for processing activities that are likely to result in a high risk to individuals' rights and freedoms. The GDPR specifically mandates a DPIA in cases such as systematic and extensive profiling, large-scale processing of sensitive data, and systematic monitoring of publicly accessible areas on a large scale.
Identifying and assessing risks: A DPIA helps organizations identify and evaluate the potential risks and impacts that their data processing activities may have on individuals' privacy rights and freedoms. By conducting a thorough assessment, organizations can proactively identify and address any privacy-related risks before they occur.
Privacy by Design and Default: The GDPR promotes the concept of Privacy by Design and Default, which means integrating privacy considerations into the design of systems, processes, and products from the outset. A DPIA is an essential tool for implementing this principle, as it helps organizations assess privacy risks and implement necessary measures to mitigate them during the early stages of a project or process.
Demonstrating accountability: Conducting a DPIA demonstrates an organization's commitment to accountability and responsible data processing. By conducting and documenting the DPIA process, organizations can provide evidence of their compliance efforts and demonstrate that they have considered the potential risks and taken appropriate measures to protect individuals' data.
Engaging stakeholders: DPIAs involve engaging relevant stakeholders, such as data protection officers, project managers, and individuals whose data is being processed. It encourages organizations to involve these stakeholders in the decision-making process, promoting transparency, and ensuring that privacy considerations are taken into account.
Overall, a DPIA is a crucial tool to ensure that organizations are processing personal data in a responsible and compliant manner. It helps organizations understand and mitigate privacy risks, adhere to legal requirements, and protect individuals' rights and freedoms. Conducting a DPIA is an important step in fostering a privacy-conscious culture within an organization and demonstrating a commitment to data protection.
