9 steps to become GDPR compliant

Since the General Data Protection Regulation came into force in 2018 by the EU, businesses and organisations have the duty to summarize all the personal data they collect in a record of processing activities. Indeed, this obligation is one of the 9 steps to compliance with the GDPR, which are:

  1. Identify all the activities involving personal data in your company.
  2. Create the record of processing activities.
  3. Sort out your data.
  4. Make it easy for users to exercise their rights.
  5. Inform users you are collecting data.
  6. Secure your data.
  7. Appoint a Data Protection Officer.
  8. Be prepared for an incident (data breach).
  9. Have control on third-party services that handle personal data on your behalf.

Step 1: Identify all the activities involving personal data in your company.

In your organisation, you have information about your employees, customers or suppliers that identifies them – personal data.

Personal data: 
Any information relating to an identified or identifiable person (so-called ‘data subject’). It can be a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

You collect and process this data for different activities in your organisation. For example such as recruitment, payroll, sales statistics, and customer prospect management.

Process of personal data: 
Any operation or set of operations which is performed on personal data. It can be collection, storage, consultation, and use.

Step 2: Create the record of processing activities.

Once you have identified the activities, you must create a Record of Processing Activities in accordance with Article 30 of the GDPR. This will give you an overview of all the personal data you process within your company.

For each activity, create an excel sheet with the following information:

  • The objective pursued (the purpose – e.g. for payroll)
  • The categories of data used (e.g. for payroll: surname, date of birth, salary etc.)
  • Who has access to the data (the recipient – e.g. recruitment department, management etc.)
  • How long the data is kept (how long the data is useful from an operational point of view, and how long it is kept in the archives)

Step 3: Sort out your data.

Now check every record sheet you created and make sure:

  • That you only process data that is necessary for your activities.
    Processing only the necessary data will allow you to avoid dealing with more data and will better respect people’s rights. For instance, it is not useful to know your client’s gender, if you do not offer any services linked to this characteristic.
  • You do not process so-called ‘sensitive’ data if you are not entitled to do so.

Sensitive data:
Personal data subject to specific processing conditions, which must be processed with increased security. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation.

  • That only authorised persons have access to the data they need
  • You do not keep the data longer than necessary.

Step 4: Make it easy for users to exercise their rights.

Users have rights over their own data that you collect – the right of access, rectification, opposition, information, erasure, portability, and restriction of the processing.

Give them the means to contact you quickly and efficiently to assert their rights. For instance, set up a telephone number, a form on your website, a contact email address, or a postal address for users to send their requests.

Set up an internal process to ensure that requests are identified and processed within a short timeframe!

Step 5: Inform users you are collecting data from.

Whenever you collect data, you need to inform the users about it. According to Article 12 of the GDPR, the information must be communicated “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. To avoid long statements, you can give a first level of information and refer to a privacy policy on your website.

Here is the required information you need to provide:

  • Why you are collecting the data (the purpose)
  • What authorises you to process the data (the legal basis: this may be the data subject’s consent, the performance of a contract, or your ‘legitimate interest’)
  • Who has access to the data (specify categories: relevant internal departments, a service provider…)
  • How long you will keep it
  • How data subjects can exercise their rights (via their personal space on your website, by sending a message to a dedicated email address…)
  • If you transfer data outside the European Union, specify the country and the legal framework that maintains the level of data protection

Step 6: Secure your data.

Take steps to secure data, whether digital or printed. You need to be extra careful when processing sensitive data, as it poses a risk to data subjects in the event of an incident.

Be aware of the consequences for individuals of the loss, disclosure, or unwanted modification of their data, and take steps to minimise these risks.

Recommended actions you can take include using locked filing cabinets, securing access to your buildings, changing passwords regularly, using anti-virus software, encrypting mobile devices, backing up data, and setting up a data recovery procedure.

Step 7: Appoint a Data Protection Officer.

It is strongly recommended to assign a person responsible for managing GDPR compliance within the organisation. If you are one of the following cases, it is mandatory to appoint a Data Protection Officer:

  1. Public authorities or bodies
  2. Organisations whose core activities lead them to carry out regular and systematic monitoring of individuals on a large scale
  3. Organisations whose core activities lead them to process sensitive data or data relating to criminal convictions and offences on a large scale

How to choose a DPO?

The DPO has an information, advisory, and monitoring role. There is no standard profile for the position of DPO, but the person must have a certain level of legal and technical expertise in data protection.

It can be an internal DPO, like a member of the organisation’s staff working part-time or full-time as a DPO. Or it can be an external DPO, based on a service contract concluded with a natural person (e.g. consultant, an employee of a group subsidiary, etc.) or legal entity (e.g. law firm, consultancy, management centre, mixed syndicate, etc.).

Step 8: Be prepared for an incident (data breach)

Even if you’ve been very careful with the personal data you process, it is still possible for an incident to occur. It is therefore important to be prepared and to know the procedure in case of a data breach.

As an organisation, it is essential to implement appropriate technical and organisational measures to avoid possible data breaches.

If a data breach occurs:

  1. You have to notify the supervisory authority within 72 hours after having become aware of the breach. Supervisory authority depends on the country. To notify a data breach in Sweden, please follow this link.
  2. If the data breach puts the data subjects at risk by threatening their rights and integrity, they must be informed. It must contain the nature of the breach, the consequences of the breach, the contact details of the person to be contacted (DPO or other), the measures taken to rectify the breach, and to limit the negative consequences.

Step 9: Have control over third-party services that handle personal data on your behalf.

All actors involved in the processing of the personal data of European residents have a responsibility, whether or not they are established in the European Union.

Two roles can be distinguished:

Controller
A controller is a natural or legal person, public authority, agency, or other body which, determines the purposes and means of the processing of personal data: meaning the objective and the way it is carried out. You as controller are ultimately accountable for your own compliance and the compliance of your processors.

Processor 
You are a processor if you process personal data on behalf of and under the authority of a controller. Processors, like controllers, must comply with the GDPR. We advise you to follow this step-by-step guide to ensure you comply with the law. Like the controller, you can be held liable for non-compliance.

If you want easy access to the 9 steps of being GDPR compliant, we advise you to download our guide.

Personal data and European users rights

Any information relating to an identified or identifiable natural person is personal data. It can be a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural individual. The recording of a person, images and videos can also be personal data if the individual is identifiable.

Generally, processing personal data involves any operation performed on the information we handle, such as collecting, printing, coordinating, storing or registering. Europeans users have rights over their data that are collected. It can be the right of access, rectification, opposition, information, erasure, portability and restriction of processing.

Personal data controller and personal data processor

All actors involved in the processing of personal data of European residents have a responsibility, whether or not they are established in the European Union.

Two roles can be distinguished:

The personal data controller 

A data controller is a natural or legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data: meaning the objective and the way it is carried out. As a business or organisation, you are ultimately accountable for your own compliance and the compliance of your processors.

The personal data processor

You are a processor if your company process personal data on behalf of and under the authority of a controller. Processors, like controllers, must comply with the GDPR. Like the controller, you can be held liable for non-compliance.

Posted by

josefinekinnvall

Would you like to get more insights like this one?

Make sure to read our blog articles, or follow us so you don’t miss our latest updates.

Read More
Scroll to Top