GDPR & Data Governance
Trusted, compliant, commercial
Commercial growth must be built on trusted, compliant data. GDPR is a delivery accelerator, not a blocker. Consent, DPIA, retention and ownership are designed in from day one.
Operating principles
Twelve controls embedded from day one
- Privacy by design
- Consent and preference management
- Data minimisation
- Clear lawful basis
- DPIA where required
- Role-based access
- Data retention rules
- Supplier data processing agreements
- Audit trail
- Data quality controls
- Incident and breach management
- Reporting to DPO and executive governance
GDPR confidence model
Six pillars the DPO and executive can rely on
Data inventory
Where data lives, who owns it, how it flows.
Consent model
Captured, evidenced, refreshed, respected.
DPIA
Completed for high-risk processing activities.
Supplier controls
DPAs, sub-processors, security baseline.
Access controls
Role-based, reviewed, auditable.
Reporting and audit
Visible to DPO and executive governance.
Consent flow
Six stages from capture to audit
Capture
Granular opt-in at registration: marketing, partners, profiling, analytics. Clear language, no pre-ticks.
Evidence
Source, timestamp, version of notice and IP stored against each consent record.
Honour
Consent state checked at every campaign send and every data share with partners.
Refresh
Re-permission cycle every 24 months and at any material change to processing.
Withdraw
Self-service preference centre, single-click unsubscribe, propagated within 24 hours.
Audit
Monthly consent coverage report to DPO and Data Governance Forum.
DPIA checklist
Eleven items completed before any high-risk processing goes live
- Processing activity described and lawful basis confirmed
- Data categories and special categories identified
- Data subjects and volumes identified (members, fans, minors flagged)
- Necessity and proportionality tested against business purpose
- Risks to rights and freedoms assessed (profiling, automated decisions, sharing)
- Mitigations defined (minimisation, pseudonymisation, retention, access)
- Suppliers and sub-processors listed with DPAs in place
- International transfer mechanism confirmed where applicable
- Consultation with DPO completed and recorded
- Residual risk rated and signed off by Executive Sponsor
- Review date scheduled (annual or on material change)
Data retention rules
What we keep, for how long, and why
| Data category | Retention period | Lawful basis / rationale |
|---|---|---|
| Member account data | Duration of membership + 24 months | Contract, legal |
| Marketing consent records | Duration of consent + 24 months | Legal evidence of consent |
| Transactional and reward history | 7 years | Legal, tax, accounting |
| Behavioural / profiling data | 24 months rolling | Legitimate interest, consent |
| Customer service contact records | 3 years | Legitimate interest |
| Web and app analytics (identifiable) | 13 months | Consent |
| Lapsed / inactive member records | Anonymised after 24 months of inactivity | Data minimisation |
| DPIA and governance records | Lifetime of processing + 6 years | Accountability |
RACI ownership
Who owns each GDPR area
| Area | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Data strategy and policy | Data Lead | DPO | Programme Manager, CIO | Steering Group |
| Consent capture and preference centre | Marketing Director | DPO | CRM supplier, Programme Manager | Customer Service |
| DPIA delivery | Programme Manager | DPO | Workstream Leads, Legal | Steering Group |
| Supplier DPAs and sub-processors | Procurement | DPO | Legal, Programme Manager | CIO |
| Access controls and reviews | CIO / Tech Lead | DPO | Data Lead | Audit |
| Retention and deletion runs | Data Lead | DPO | CIO, CRM supplier | Programme Board |
| Subject rights requests (DSAR) | Customer Service Lead | DPO | Legal, Data Lead | Programme Board |
| Breach detection and response | CIO / Tech Lead | DPO | Legal, Communications, Programme Manager | CEO, Steering Group |