GDPR Compliance: From Theory to Practice

Information
01 May 2026
Date of publication
Data privacy compliance
Category
Authors
Legal IT Group

The GDPR has become a real challenge for business. Companies often ask: “What is the GDPR? What documents need to be prepared to fulfill its requirements? Is it enough to simply have a Privacy Policy on the website to become compliant?”

But the answer is obvious — no. GDPR compliance is not about formalities, but about real processes. It is not a one-time action, but a continuous cycle of adaptation, cooperation, and implementation of solutions that actually work. Policies in themselves change nothing — what matters is that they operate in practice.

This is precisely why GDPR compliance is not simply a set of rules or documents. It is a living system that integrates into business processes and changes the approach to working with personal data. It is a privacy-first culture, where protecting users’ information is not just a requirement, but a standard way of thinking.

So what does genuine GDPR compliance look like? Let us work through it.

The Most Popular Question: Does a Standard Document Package for GDPR Compliance Exist?

The answer is simple — no. Every business is unique, as are its processes. One company may manage with an Excel spreadsheet for data accounting, while another uses complex algorithms for predicting user behavior. Therefore, simply copying documents from another website is not only ineffective, but also unfair to one’s own clients.

As they said in one iconic film: “Respect thy consumer.” You would not force users to agree to the processing of their personal data based on a template document that does not even take into account the specifics of your business, would you?

So what to do? The answer, like Morpheus’s, is: “Not where, but when.” And when that moment arrives, it is worth starting with a GDPR audit.

GDPR Implementation Algorithm

GDPR Audit
GDPR Plan
Internal GDPR Compliance
Regulating Relationships with Users
Regulating Relationships with Counterparties
Demonstrating GDPR Compliance

Let us examine each stage in more detail.

STEP 1: GDPR Audit

A GDPR audit is a fundamental stage that determines how well the company complies with the norms of the Regulation regarding the processing of personal data. Its key result is the creation of a personal data flow map and the preparation of a gap assessment, which identifies the gap between the company’s current business processes and the requirements of the GDPR.

Through the audit it is possible to understand whether the company falls within the scope of the GDPR and what specific measures need to be implemented to achieve compliance. Requirements for different companies vary depending on their jurisdiction, the scale of data processing, and the specifics of their activities. Without a quality audit, therefore, it is impossible to effectively implement GDPR compliance.

STEP 2: GDPR Plan

The next stage is developing a strategy and defining clear steps to achieve GDPR compliance. Based on the gap assessment created as a result of the audit, specific steps for achieving GDPR compliance are planned.

Typical documents:

  • Compliance Project Initiation Document — in this document we initiate the preparation for GDPR implementation.
  • Preparation Project Plan — a detailed action plan for implementing GDPR in the company.
  • Gap Assessment (as a result of the audit) — an assessment of the “gap” between how personal data is currently processed and what needs to be changed to bring processes into compliance with the GDPR.
  • Compliance Evidence
  • Internal Audit Procedure — conditions for periodic audits to assess and reassess the state of GDPR affairs.

It is worth noting here that GDPR compliance can differ depending on the specifics of the company’s business. For example, the requirements for outsourcing companies and adtech platforms have their own nuances, as each field of activity involves unique approaches to personal data processing. More details on how industry specifics affect the preparation of a GDPR compliance roadmap can be found here.

The goal of preparing the plan is to define the specific steps (roadmap) along which the company needs to move to bring its activities to a state of GDPR compliance.

STEP 3: Internal GDPR Compliance

The following blocks of documents can be identified as typical for internal GDPR compliance:

Data collection and control over data transfer — We define how exactly and on what basis personal data is collected, how long it is stored, and what operations are performed with the data.

Typical documents:

  • Personal Data Mapping Procedure — we set out the principles for forming a personal data flow map and the legal facts that need to be regulated within the framework of data transfer/processing/enrichment.
  • Annex A1. Personal Data Capture Form (users as data subjects)
  • Annex A2. Personal Data Capture Form (employees as data subjects)
  • Annex B. Records of Processing Activities
  • Records Retention and Protection Policy

Roles and responsibilities — We define the role of each employee/founder of the Company in the processing of personal data and establish the level of access and the need for further training.

Typical documents:

  • Roles and Responsibilities — we specify what tasks will be delegated to the persons involved within the company.
  • Competence Development Procedure — we describe the procedures and necessary conditions for improving the competence of internal stakeholders within the company.
  • Information Security Awareness Training (ENG/UKR) — a possible additional information security training.
  • Handbook for Employee — a super book. Of course, it is not quite a book, but rather a guide for the employee, which outlines the key aspects of working with the company’s personal data and specifically their role in this process.
  • Access Control Policy — a document that explains who can look where and where it is prohibited and why. After all, the fewer people who know a secret, the more reliable it is.

! Company employees and GDPR — Some employees are more actively involved in processing personal data, while others are not involved at all. At the same time, employees who have received GDPR training and have been explained in clear language how the company is in compliance with the GDPR and how it takes care of personal data can internalize the privacy-first culture and carry it further, thereby increasing trust in the company. And it is also good for HR branding! Ask your HRD and PR person.

DPIA & DPO — We determine the need to conduct a DPIA and appoint a DPO.

Typical documents:

  • DPIA necessity report — a document designed to determine whether data protection is needed in the organization.
  • DPIA Procedure
  • DPIA Report
  • DPO necessity report — we determine whether a DPO is needed and why.

Security of personal data — We define the information protection regime in the company.

Typical documents:

  • Information Security Policy — one of the most serious documents in the organization. According to legend, it must be approved by a stern man with a mustache and thick fingers, but that is not the case. However, it is this document that defines the measures necessary for the company’s information security.
  • Information Security Incident Response Procedure

Personal Data Breach Procedure — We define the algorithm of actions in the event of a personal data breach.

Typical documents:

  • Personal Data Breach Notification Procedure — in the event of a data breach, the company is obliged to report it. That is the requirement. Therefore, it is necessary to be prepared, to have a procedure, and to know what needs to be done.
  • Personal Data Breach Notification Form
  • Personal Data Breach Register

STEP 4: Regulating Relationships with Users

Privacy policy documents — We prepare documents for users — policies, consents to the processing of personal data — and in plain language tell users about their rights.

Typical documents:

  • International Transfer Procedure — it happens that the company is in Ukraine, the data belongs to Europeans, and the processor is in the USA. What to do? Have a policy.
  • Privacy Policy — arguably the main document in the context of relationships with users. In a nice, understandable language and in a friendly manner, it is worth explaining to users how, why, and for what reason we may process their personal data.
  • Privacy Notice Procedure — here we talk about how exactly we notify our users of the processing of their personal data and take care of them.
  • Cookies Policy — a policy about cookies. We must tell users what cookies we place on their device, how we then track them and learn their secrets and desires.
  • Consent form — a document by which the user expresses their consent to the processing of personal data, for example when registering on a website.
  • Cookies Consent Form — you have certainly seen such a document. On almost every website. Something like: “Hi, we are having fun with cookies here, ok?”

Rights of data subjects — We define procedures and forms for the exercise of the rights of personal data subjects and record-keeping of appeals.

Typical documents:

  • Request and Complaints Procedure
  • Request and Complaints Form
  • Request and Complaints Register — we must record who specifically contacted us with requests for data deletion, for example. But here is the question — how do you register a request from someone who demanded the deletion of information? In that case we retain only a very small amount — better yet, anonymized and pseudonymized and hidden at the bottom of the sea.

! It is worth remembering here that users may turn not only to your company but also to local authorities if they believe you are processing their personal data in some improper way.

Of course, it is necessary to work in a preventive manner — communicate with the user, exercise their rights in accordance with the Regulation — but in the event of receiving a letter directly from an authority, it will be necessary to demonstrate both GDPR compliance in general and in the specific case involving the user. An outsourced DPO or privacy manager can help with such communication!

STEP 5: Regulating Relationships with Counterparties

Data transfer policies & Data processing agreements — We define the requirements for the company’s counterparties for the possibility of transferring personal data and prepare the agreements necessary for such transfer.

Typical documents:

  • Supplier Assessment Procedure — we cannot transfer data to just anyone, so we must vet counterparties. They must also meet our most stringent requirements.
  • Controller-Processor Agreement Policy
  • Data Processing Agreement (controller/controller) — the most important document that we can sign with our partners. Here we define exactly what scope of information is transferred, the conditions for working with it, and so on.

In order to transfer data to contractors, one must first assess whether they are in compliance with the GDPR. In what jurisdiction are they registered, and is it even lawful to transfer data there. What role will a specific counterparty have — controller, processor, or possibly co-controller. Relevant procedures and contracts are used to manage relationships with contractors/partners regarding personal data. When these have been developed and are clear, and, say, the Head of Legal is drafting an agreement with a new counterparty, agreeing on privacy matters should not become an obstacle to cooperation.

STEP 6: Demonstrating GDPR Compliance

We create a personal data flow map, explaining the legal aspects of each stage of such data movement within the company’s business processes. We also create a presentation demonstrating GDPR compliance.

Typical documents:

  • Data Flow Diagram — the most important document, showing the movement of personal data within our company.
  • Initial Mapping — the initial sketch of the data flow map. We can update this document as new business processes are created.
  • Compliance Data Mapping — here we attach specific legal bases to our map. For example — consent allows us to take data into processing. The scope of consent determines what we can do with it further. The next stage may be the transfer of this data to the cloud in accordance with a DPA.
  • Evidence of Compliance presentation — everyone loves slides. And these slides are magical. This presentation explains the entire substance of GDPR compliance in accordance with the documents that the company has prepared for working with personal data. Nice, on company letterhead, and to the point.

Checklist

1. Does your company process personal data?

Personal data is any information that makes it possible to identify a person:

  • client phone numbers
  • IP addresses
  • cookie files
  • other data that may be considered personal

2. Does the GDPR apply to your company?

The GDPR applies to companies if:

  • the company is registered in the EU and processes data of EU persons
  • the company is registered in the EU and processes data of persons from other countries
  • the company is located outside the EU but works with personal data of EU persons

To determine whether your activities are targeting the EU market, pay attention to:

  • the availability of the website in EU languages
  • the possibility of paying in euros
  • EU domain registration
  • delivery of goods or services to EU countries

3. Does the company process sensitive personal data?

Special categories of data include:

  • racial or ethnic origin
  • political views
  • religious beliefs
  • health data, biometric and genetic data
  • data on criminal convictions
  • etc.

Such data requires enhanced protection and special legal bases for processing.

4. Have the requirements of national legislation been taken into account?

Each EU country may have additional requirements.

5. Is personal data transferred to third countries?

Transfer of data outside the EU is permitted only subject to:

  • an adequacy decision
  • the use of standard contractual clauses (SCCs)
  • the implementation of binding corporate rules (BCRs)
  • obtaining the data subject’s explicit consent

6. What role does the company play in the data processing process?

Your company is:

  • A controller — defines the purposes and means of data processing
  • A processor — processes data on the instructions of the controller

Depending on the role, the company’s responsibility and obligations will differ.

7. Does your company need a Data Protection Officer (DPO)?

A DPO is mandatory if:

  • the company is a public authority
  • the company processes large volumes of personal data
  • the company processes sensitive data
  • etc.

The DPO is responsible for monitoring compliance with GDPR requirements and communicating with regulators.

Conclusions

Most GDPR documents are prepared in English, but those intended for public access — for example, a Privacy Policy — must be translated into the language of the country where the company operates. However, correct formatting alone is not sufficient. Policies and agreements need to be constantly reviewed and updated, as business processes change, new forms of personal data processing emerge, and users provide new consents.

Some documents, such as the initial GDPR plan, may seem static, but in practice they also change as the company develops. GDPR compliance is a continuous process that begins with an audit but never ends. It is daily work that makes the company stronger and helps clients effectively manage their personal data.

Moreover, the implementation of genuine, working GDPR can become a competitive advantage. Companies that demonstrate a responsible attitude to data protection win in the long term, as transparency and data security are what modern consumers expect.

To assess your company’s level of readiness for GDPR compliance, we suggest using the checklist above. And if you need help — fill out our GDPR questionnaire and we will help you make this process as effective as possible.

Do you have any questions for the lawyers?
up to 500 characters
An error occurred
The request has been sent Thank you for your message! We will process it as soon as possible.

Articles on the topic

Data privacy compliance
Personal Data Protection in Ukraine: 7 Steps for Ukrainian Businesses
Соломія Бельська
1 May, 11:22
Data privacy compliance
Marketing Compliance. How to Sell Without Violating Privacy
Соломія Бельська
30 April, 15:02
Data privacy compliance
What Do Ukrainian Companies Need to Do to Comply with GDPR Requirements?
Legal IT Group
30 April, 14:24
Data privacy compliance
Training an AI Model on Personal Data and GDPR: What Did the EDPB Say?
Legal IT Group
30 April, 14:13
Data privacy compliance
Data Processing Agreement: Coordination and Management
Legal IT Group
30 April, 13:55

Top publications

Data privacy compliance
GDPR and Internet of Things (IoT)
GDPR and Internet of Things
Intellectual property
SEO Agreement: optimization Settlement
SEO Agreement: optimization Settlement
IT contracts
Service level agreement (SLA) – 5 key points
Data privacy compliance
What Is a Customer Journey Map and Why Is a Transparent Privacy Policy Important for Marketing?
Legal IT Group
30 April, 12:26
Data privacy compliance
GDPR: Implementation and Data Protection Impact Assessment
Legal IT Group
30 April, 12:15
Data privacy compliance
Data Privacy Protection in the Americas: CCPA, PIPEDA, LGPD
Legal IT Group
30 April, 12:02
Data privacy compliance
CCPA: 5 Must-Have Privacy Policy Provisions
Legal IT Group
30 April, 11:56
Data privacy compliance
CCPA (California Consumer Protection Act): What Are the Requirements and Conditions for Compliance?
Катерина Дубас Legal IT Group
Катерина Дубас
30 April, 10:07
Go to the blog