Preparing for the General Data Protection Regulation (GDPR)

How to prepare your organisation for the General Data Protection Regulation (GDPR)

In less than 9 months, Europe’s data protection rules will undergo their biggest changes in the last 20 years. General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data. As a result, organisations need to be extremely aware of these changes as they can face very strict fines in the cases of non-compliance. Can your organisation afford to be fined €20 million for improperly handling customer data, as required by new General Data Protection Regulation (GDPR)?

To ensure that you are GDPR compliant in time, plans will now need to be streamlined. Our need-to-know GDPR infographic explains the most important steps you should take to successfully prepare for the compliance by May 2018.

GDPR roadmap with steps

Step 1: Strategic planning for GDPR in your organisation

The General Data Protection Regulation brings enhancements of existing data protection legislation, as well as new requirements. Unless you have full visibility of the current state of your data privacy framework, you will find it difficult to assess the extent of the work that will be required to achieve compliance with the GDPR.

So first thing you should do is an in-depth research to gain understanding about your organisation’s current situation in relation to compliance. Do you know what you are doing well at the moment and where you may have gaps in terms of personal data security?

Next, you should check if your organisation needs to appoint a Data Protection Officer (DPO) to take responsibility and control of data protection issues in your company.

Under the GDPR (Article 37), you are required to designate a DPO if you are: – a public authority (except for courts acting in their judicial capacity) – an organisation that carries out the regular and systematic monitoring of individuals on a large scale – an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

Step 2: Data mapping and audit

An essential step in preparing for compliance with the General Data Protection Regulation (GDPR) is conducting a data mapping and audit.

Data mapping involves the mapping out of all the organisations’ data flows, which is a process of drawing up an extensive inventory of the data to get a comprehensive understanding of where the data flows from, within and to. Cover the entire lifecycle, from data collection, saving, usage, transfer, processing, and storage/archiving to deletion.

Then you should start the audit process to assess your data protection practices around those flows of information and look at whether you have effective policies and procedures in place. This will help you check if you’re complying with current and future regulations, as well as help you prepare for the new record-keeping obligations within the GDPR. Finally, an audit will enable your organisation to identify areas of risk and prioritise what changes need to be made before General Data Protection Regulation comes into force.

Step 3: Policy development and review

Building consensus up-front is the key to any successful GDPR compliance project. It needs to be rehearsed from the CEO/managing director downwards.

In this phase, focus on the policy development and review. Start from formalising the GDPR project start with the key stakeholders: Management, HR, Operations, IT, Accounting, Marketing and etc. Create an action plan which would include all the tasks that need to be completed before GDPR comes into the force. Focus on the priorities – key areas where might be high risk of data breaches.

Also by this time, you should have appointed a Data Protection Officer (DPO) who has an expert knowledge of data protection law and practice. The DPO would work closely with your GDPR implementation team and take the lead in the assessment of a company’s data processing operations. Agree on regular update of the project progress to ensure full back-up and continuous progress.

Step 4: Staff training and awareness

The pivotal component of any organisation’s GDPR compliance framework is employee awareness and education. With significant fines for non-compliance from May 2018, it is crucial that all your staff members are aware of how the personal data should be processed and stored within the company, what to do when things go wrong, how to identify poor practice and behaviour that often lead to a breach and etc.

Start from surveying your employees to evaluate their current understanding about General Data Protection Regulation and their knowledge gaps. Following the survey results, create training/workshops to your staff, prioritise the training to those who work in the key areas of your organisation that involve high risk or high volume processing, such as, marketing and HR.

Step 5: Business support and monitoring for compliance

With only less than 5 months to go, you need to start putting standards and procedures in place in order to mitigate risks of potential data breaches. Time is ticking away – no room for delay.

Creating and monitoring privacy policies and procedures should be your priority. These should be used to establish the standards your organisation expects from employees, consultants and contractors when they process personal data.

Privacy policies and procedures will need to have clear guidance on how your organisation will ensure compliance with data protection requirements. It is very important that these policies are readily accessible to all employees within your organisation who handle personal data.

Then focus on implementing and monitoring organisational controls to comply with the GDPR. Determine which provisions of the GDPR will apply to your organisation and whose responsibility from the General Data Protection Regulation implementation team that will be. Set up appropriate measures to evaluate how your organisation will comply with GDPR requirements.

Lastly, monitor issues with compliance with data protection legislation. Independent testing and quality assurance frameworks is highly recommended to ensure that data protection processes and procedures are being adhered to. Any instances of non-compliance should be logged and analysis undertaken to identify trends in non-compliance. Establish clear processes for reporting data breaches to the data protection officer to ensure that data breaches are brought to the attention of the regulator within the time frames laid down by the GDPR. You should test breach notification processes regularly to ensure that they are being followed and are working effectively.

Step 6: Go live & follow up with on-going monitoring

Finally, 18th May 2018 comes in and GDPR enters into force. If you have been consistently preparing for this, now you can sit back and relax – you have done your homework and can demonstrate that your organisation is GDPR compliant.

However, it is important to note that when you start to use your new policies and processes, you may find that they do not work perfectly on a day-to-day basis. Moreover, while it is unlikely that there will be significant changes to the text of the GDPR anytime soon, but there might be some new guidance coming in over the next two years on how it should be interpreted. Therefore, you should continuously ensure that you stay on the top of things in relation to GDPR compliance. Your goal is to be able to identify any problem areas, work to find a solution and make sure that solution is GDPR-compliant.


Following these General Data Protection Regulation compliance steps not only help you diminish data breach risks and help your organisation comply with the GDPR, it will build the trust of your customers and prospects and ultimately grow your business.

Finally, considering that less than 9 months left till GDPR law comes into force, it would a mistake to approach these steps in a linear fashion. You can make progress in each of these areas simultaneously to accelerate your GDPR compliance process.

Note: This information is intended as a general overview and discussion of the subjects dealt with. The information provided here was accurate as of the day it was posted; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation.  CMS Distribution recommends that entities subject to legislation seek legal counsel from qualified sources.