5 Steps to GDPR Compliance
What is GDPR?
The General Data Protection Regulation (or “GDPR“) is a comprehensive data protection and privacy law which was adopted in the European Union (“EU“) in May 2018. Its primary purpose is to strengthen and standardise data protection laws across EU member states and to give individuals more control over their personal data.
Why is GDPR compliance important?
GDPR compliance is crucial for businesses for several reasons.
Firstly, non-compliance can result in significant fines of up to 4% of global annual turnover or €20 million, whichever is higher. For example, Meta, the parent company of Facebook, recently was fined €1.2 billion ($1.3 billion) for violating the GDPR. The fine was imposed because Meta failed to adequately protect the personal data of the EU users from the surveillance activities of American security services. The Irish Data Protection Commission, responsible for the decision, found that Meta’s data transfers to the US did not address the risks to individuals’ rights and freedoms.
Secondly, GDPR compliance helps build customer trust and credibility by demonstrating a commitment to protecting their personal data.
In addition, compliance with GDPR standards improves data security, reduces the risk of data breaches and fosters a culture of responsible data processing in the organisation.
Finally, GDPR compliance is not limited to EU-based companies; it applies to any organisation worldwide that collects or processes personal data from individuals residing in the EU, making it imperative for global businesses to ensure compliance to avoid legal consequences.
Step 1: Data Analysis
The first crucial step in achieving GDPR compliance is to define the scope of personal data collected and processed by the business. It includes identifying the categories of personal data the organisation handles, such as names, addresses, email addresses, financial information and any other identifiable information relating to individuals. By clearly defining the scope of personal data the company handles, it will better understand the compliance requirements it needs to meet.
It is important to note that under the GDPR, personal data is a broad term encompassing various types of information that can be used to identify an individual. According to the European Commission, examples of personal data include:
- an individual’s first and last name;
- home address;
- email address;
- ID card number;
- location data;
- Internet Protocol (IP) address;
- cookie ID;
- advertising identifier of a phone; and
- data held by a hospital or doctor that uniquely identifies an individual.
The GDPR also introduces the concept of sensitive data, which includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data concerning a person’s sex life or sexual orientation. Sensitive data is subject to even stronger protections under the GDPR to ensure the highest level of privacy and security.
In Step 1, developing additional maps to gain a comprehensive understanding of data processes and interactions may be beneficial. For example, creating a customer journey map allows the organisation to visualise how personal data is collected, stored and used throughout the customer lifecycle. Similarly, developing a candidate journey map can help identify the stages where personal data is involved during the recruitment process. In addition, a data flow map may provide insight into the movement of data across different systems and departments within the organisation.
Step 2: GDPR Audit
As part of the GDPR compliance process, it is essential to conduct an internal audit to assess existing data protection practices within the organisation. This audit should include a review of the policies, procedures and systems in place for collecting, processing and storing personal data.
During the audit, it is crucial to identify any gaps or areas of non-compliance with the GDPR requirements (i.e. to conduct a “gap assessment”). It involves comparing the organisation’s data protection practices with the specific obligations outlined in the GDPR. By identifying gaps, such as inadequate consent mechanisms, insufficient data breach response procedures, or lack of transparency in data processing, efforts can be made to address these shortcomings and align with GDPR standards.
A table can be used to present the assessment results more conveniently as it provides a structured overview of the organisation’s compliance status. The table can be divided based on the specific articles of the GDPR that impose obligations on the company.
| Article | Compliance Status |
| Article 5: Principles relating to processing of personal data | Does not comply with the GDPR |
| […] | […] |
As part of the GDPR audit, assessing the effectiveness of the organisation’s current security measures and data processing procedures is also necessary. This assessment determines whether the measures are sufficient to protect personal data. It includes a review of access controls, encryption practices, data storage, data transfer protocols and any other security measures in place.
Step 3: Development of a GDPR Compliance Plan
The GDPR audit can provide valuable insights into the organisation’s data protection practices and highlight specific areas that need improvement. Therefore, these identified gaps should be incorporated into the roadmap to ensure they are adequately addressed and resolved on time.
The roadmap should include the specific actions and changes required to align the company’s data protection practices with GDPR requirements and serve as a guiding document to ensure that compliance efforts are well-structured, comprehensive, and tailored to the business’s unique needs.
The plan may consist of the following elements to achieve GDPR compliance:
- Documentation development: The roadmap should outline the development or update of the necessary documentation, such as a privacy policy and a cookie policy. These documents communicate the organisation’s commitment to data protection and provide transparency to individuals regarding processing their personal data in accordance with requirements of Articles 13 and 14 of the GDPR or the ePrivacy Directive.
- Internal documentation and procedures: It is essential to develop internal documentation under GDPR, such as a data breach register to track and manage potential data breaches effectively. In addition, policies should be put in place to guide the organisation’s efforts toward GDPR compliance, for instance, in responding to data subject requests according to all requirements and guidelines of EDPB or relevant supervisory authorities.
- Training plan: The roadmap should include a comprehensive plan for training the team on GDPR, the organisation’s obligations, and data protection best practices. Training can help raise awareness among employees, ensure they understand their roles and responsibilities in GDPR compliance, and foster a culture of data protection within the company.
- International data transfers: If a company engages in international data transfers, it is critical to address this aspect in the roadmap. Organisations should consider using appropriate safeguards, such as the Standard Contractual Clauses (SCCs) developed by the European Commission. Incorporating these safeguards ensures that personal data is adequately protected when transferred outside the European Economic Area to countries without an adequacy decision.
Step 4: Implementation of the Plan
Implementing a GDPR compliance plan requires a strategic approach and careful execution.
Firstly, it is essential to establish a realistic timeframe within which the various activities will be carried out. It includes developing or updating documentation, conducting training, implementing new safeguards and addressing any gaps identified during the GDPR audit.
Second, with limited resources and time, it is important to prioritise tasks based on their impact on data protection and regulatory compliance. The risks associated with different areas of non-compliance should be assessed accordingly. For example, addressing high-risk areas such as consent management, data security, and data subject rights should be prioritised.
Third, assigning clear responsibilities to relevant individuals or teams within the organisation is critical to successfully implementing the compliance plan. Clearly define who will be responsible for each task to ensure accountability and transparency throughout the process (e.g. director or CEO). Assigning responsibilities enables efficient coordination and ensures that all necessary actions are taken promptly and effectively.
Step 5: Support, Maintenance and Control
Achieving and maintaining GDPR compliance requires ongoing commitment and vigilance. To adopt a proactive approach, the following practices can be implemented:
- Regularly reviews and updates of the data protection practices: The GDPR landscape is dynamic, with emerging threats and evolving regulations. To remain compliant, organisations must regularly review and update their data protection practices. It includes keeping abreast of regulatory changes, industry best practices and emerging technologies that may impact data security. For example, it can be useful to monitor new legislation in the field of AI (such as the EU Artificial Intelligence Act), as this rapidly developing area may often involve processing personal data.
- Providing support and guidance to employees: Employees play a critical role in maintaining GDPR compliance. It is essential to provide ongoing support and guidance to employees on data protection matters. This can be achieved through regular training, communication channels to address their questions or concerns, and access to relevant resources and documentation (such as EDPB or supervisory authorities (e.g., CNIL in France) guidelines and recommendations).
- Conduct regular internal audits and assessments: Periodic internal audits and inspections are critical to ensuring ongoing compliance. These audits can assess the effectiveness of data protection controls, identify potential risks or gaps, and verify compliance with GDPR requirements. By conducting these assessments, organisations can proactively identify areas for improvement, implement corrective actions, and maintain a robust data protection framework.
In conclusion, achieving GDPR compliance is not a one-time task but an ongoing process that requires dedication, adaptability, and a commitment to data protection. The GDPR landscape is constantly evolving, with new regulations, emerging threats, and changing best practices. As such, organizations must recognize that compliance is a continuous effort that requires regular monitoring, updates, and controls.