1. Map Your Information Assets
Start by getting a clear overview of everywhere your organisation stores or processes personal data. This includes IT systems, cloud services, shared drives, mobile phones, laptops and physical files
This overview is the foundation of your GDPR compliance. Without it, you cannot know which systems and processes need to be secured, and you risk overlooking critical processing activities.
-
Map all IT systems, cloud services and physical storage
-
Include devices such as mobile phones and laptops
-
Use this overview as the basis for your risk assessment and record of processing activities
2. Put Data Processing Agreements in Place
Do you use suppliers that handle personal data on your behalf? This could be a payroll system, a CRM or an email marketing platform. If so, they are data processors, and you are legally required to have a written data processing agreement with each of them.
A data processing agreement defines what your vendor may and may not do with your data. It must be in place before any processing begins.
-
Identify all vendors that process personal data on your behalf
-
Ensure written agreements are in place with every data processor
-
Keep agreements updated when vendors change their services
3. Create Your Article 30 Record of Processing Activities
Most organisations subject to GDPR must maintain a record of processing activities. This document sets out what personal data you process, for what purpose, and who has access.
Start by identifying the processes in your business that involve personal data, such as:
-
Sales and customer management
-
Marketing and communications
-
HR: recruitment, employment and payroll
-
Finance and invoicing
4. Conduct a Risk Assessment
A risk assessment helps you understand the risks associated with your data processing activities and determine how rigorously you need to implement GDPR requirements. The higher the risk, the stronger the safeguards required.
A thorough risk assessment also helps you prioritise your efforts, saving time and resources in the long run.
-
Assess the likelihood and impact for each processing activity
-
Use the results to prioritise your security measures
-
Update the assessment whenever your organisation changes
5. Apply Privacy by Design and Privacy by Default
Privacy by design means building data protection into your systems and processes from the outset. Privacy by default means configuring your systems to process only the minimum amount of personal data necessary.
Both principles are explicit requirements under GDPR and should be reflected in how your organisation builds and configures its solutions.
-
Document your decisions as part of your compliance documentation
-
Use the results to prioritise your security measures
-
Update the assessment whenever your organisation changes
6. Train and Guide Your Employees
Your organisation is only as GDPR-compliant as your people. Even the best policies will fall short if employees do not know how to handle personal data correctly in practice.
Establish clear guidelines for the use of IT tools, email and other systems. Awareness training should be a regular part of onboarding and ongoing operations.
-
Create written guidelines for handling personal data
-
Train employees at onboarding and on an ongoing basis
-
Document that employees have received and understood the guidelines
7. Review Your IT Security
GDPR requires appropriate technical security measures. Review your IT security and assess whether there are any gaps: Is access management up to date? Are strong passwords and two-factor authentication in use? Is data encrypted where relevant?
-
Review access management and user permissions
-
Implement encryption and two-factor authentication
-
Establish a plan for handling personal data breaches
8. Address Physical Security
Digital security alone is not enough. Personal data can also be compromised physically. Make sure servers and physical documents are secured and locked away, and that only relevant employees have access.
-
Lock server rooms and physical archives
-
Dispose of unnecessary physical documents containing personal data
-
Restrict access to relevant employees only
9. Inform Your Customers
When you collect personal data from customers, they have a right to know how it will be used. This is your duty to inform under GDPR. Make sure your privacy policy is up to date, easy to find and written in plain, accessible language.
-
Update your privacy policy regularly
-
Make it easy to find, for example on your website
-
Write it in language your customers actually understand
10. Inform Your Employees
The processing of employee personal data begins as early as the recruitment phase. Make sure that job applicants, new hires and existing employees are all informed about how their data is processed, typically through an internal privacy notice.
-
Inform job applicants about data processing from first contact
-
Create an internal privacy notice for employees
-
Update it whenever your processes change
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
