GDPR Compliance: What Does It Look Like in Practice?

GDPR is reflected in processes. Having certain policies means nothing if people act differently in real situations.

Processes must be documented and established by being communicated to the relevant persons. Moreover, since personal data processing processes are dynamic, they require periodic review and updating.

Every GDPR Compliance Project Is Different

But individual modules can be identified, such as:

Customer journey map and GDPR. This refers to the digital experience of a buyer or user from the moment of first contact with content through to repeat purchases.

Candidate journey map and GDPR. In the context of hiring or recruiting candidates, a person shares their personal data with the company, and accordingly such data also follows a certain path within the personal data mapping (the map of personal data flows within the company).

Company employees and GDPR. The organization defines roles and responsibilities for fulfilling GDPR requirements. Employees undergo training to understand what exactly they need to do within the company’s GDPR processes and how the privacy program is structured in the organization as a whole. The processing of employees’ own data should also not be overlooked.

B2B clients and GDPR. Demonstrating compliance with the Regulation by completing questionnaires and managing the relevant data transfer agreements.

Contractor management and GDPR. Managing relationships with partners and contractors in the context of the possibility of transferring personal data to them and the terms of such interaction.

Authority and GDPR. Interaction with supervisory authorities within the GDPR framework is normal — of course, if there is a functioning privacy program.

All of these modules are based on high-quality and well-developed internal documents that define, among other things:

• Data collection conditions and control over data transfer
• Roles and responsibilities for GDPR processes in the company
• Conditions for conducting risk assessments and the need for a Data Protection Officer
• Conditions and requirements for the secure processing of personal data

To initiate work on a privacy program with the aim of achieving GDPR compliance, an inventory of the personal data processed by the company is required.

We Have a Starting Point Within the GDPR Compliance Project, Which Can Broadly Be Divided into 3 Steps

Step 1: Data Inventory and Defining the Roadmap to GDPR Compliance

To determine the substance and components of the documentation required in a specific case and the conditions for its implementation into the company’s processes, a necessary step is the preparation of a consultation (report/audit) on the GDPR requirements specifically applicable to the Company in accordance with the Methodology.

This step is the first step in GDPR compliance for a company, because without a roadmap, an understanding of data flows, and an understanding of the specific requirements, it is impossible to reach a concrete and necessary result. In practice, the start of such an audit is the starting point of the process.

The results are presented in the form of a report that will include the following sections:

• introduction (personal data flow maps with explanations of the Company’s role in each of the processes);
• gap assessment (enumeration of all GDPR requirements applicable to the Company and recommendations on actions the Company can take to achieve compliance with each article);
• assessment of the compliance of third parties involved in the processing of personal data (and enumeration of actions recommended to achieve compliance);
• list of documents to be drafted and introduced into the Company’s activities to comply with GDPR requirements;
• training plan and other staff training measures on privacy and personal data processing matters.

Step 2: GDPR Documents

The following blocks of documents can be identified as typical for GDPR projects. The documents themselves and their content are determined in the report.

1. Internal compliance:

• Data collection and control over data transfer
• Roles and responsibilities
• DPIA, DPO
• Security of personal data

2. Data subject rights

• Privacy policy documents
• Documents on the exercise of rights by data subjects

3. Management of relationships with counterparties
4. Demonstration of compliance

Depending on the company’s role in specific data processing activities, the document blocks may be structured differently. For example, for a company that provides a service in SaaS format, it will be very important to create a certain GDPR FAQ on the website, while for a company operating in a B2B format — a quality DPA, and so on.

As a rule, the absolute majority of documents are drafted in English, while those placed on the website — for example, a privacy policy — may also be in the language of the country in whose market the company operates.

Step 3: GDPR Support

There are many options here. The company may designate a certain “privacy champion” who will be responsible for the currency of documentation and the correctness of processes. On the other hand, external privacy consultants may be engaged, or even an external DPO.

GDPR compliance is a dynamic process and this is reflected in how a company responds to specific challenges. So let us return to the beginning — how do the GDPR modules work in practice?

Customer Journey Map and GDPR

Scenario 1: A user visited a website, clicked “ok with necessary cookies” on the cookie banner, and five minutes later saw an advertisement for this service in their Facebook feed. This means that a Facebook pixel was present on the website, but since the user did not click ok on all cookies, they did not consent to such use of their data. At this moment, distrust of the brand may arise and the chance of conversion will consequently decrease.

Scenario 2: A user clicked “ok with necessary cookies,” then went and read the GDPR FAQ on the website and learned that by sharing and agreeing to a greater amount of information, they could receive customized offers and discounts in the future based on specific purchase algorithms. They liked this and agreed, and upon seeing a banner on Facebook — made a purchase, because they knew that “everything is fair and beneficial for them.”

This example shows how GDPR compliance can help build client trust. A client rightfully expects their privacy to be taken care of, which means this must be part of their successful digital experience.

For simplicity, let us note that the CMO is responsible for such a digital user experience. They understand exactly which banners and documents related to GDPR are on the website, which UX texts on privacy are used, and what the support department will say in the event of a corresponding user request. And in the event of a change in mechanics or difficulties, the CMO can always consult with the Data Protection Officer.

Candidate Journey Map and GDPR

In this scenario, the main stakeholders will be an in-house recruiter (for simplicity) and a potential candidate for a senior developer vacancy. Of course, there are also points of contact here and they can vary — from a template email to a smiley in Telegram. A reasonable question from a candidate may be: “where did you get my data?” Recruiters today use a lot of software, and accordingly, in order to build trust-based relationships, the recruiter must have an explanation of the lawful way in which the contact was obtained.

Then comes entry into the database, possibly the recording of an interview, and possibly also the sharing of data with other companies. These processes must be regulated, and the Head of Recruiting must understand the data flow and be confident that their subordinates also understand the GDPR compliance process in the context of recruiting in the organization.

Company Employees and GDPR

Some employees are more actively involved in processing personal data, while others are not involved at all. At the same time, employees who have received GDPR training and have been explained in clear language how the company is in compliance with the GDPR and how it takes care of personal data can internalize the privacy-first culture and carry it further, thereby increasing trust in the company — and this is also good for HR branding. Ask your HRD and PR person.

B2B Clients and GDPR

Fast deal closing with large companies requires the organization to promptly complete GDPR questionnaires, but in order to complete a questionnaire (often with 100 questions) and attach all necessary documents, one must have the relevant assets. Their availability is achieved through the implementation of a privacy program.

GDPR compliance can then become a competitive advantage, and a DPO who helps with the questionnaire will be able to professionally answer all of the client’s questions, once again presenting the organization in the best light. Ask your Head of Sales whether you need this.

Contractor Management and GDPR

In order to transfer data to contractors, one must first assess whether they are in compliance with the GDPR. In what jurisdiction are they registered, and is it even lawful to transfer data there. What role will a specific counterparty have — controller, processor, or possibly co-controller.

Relevant procedures and contracts are used to manage relationships with contractors/partners regarding personal data. When these have been developed and are clear, and, say, the Head of Legal is drafting an agreement with a new counterparty, agreeing on privacy matters should not become an obstacle to cooperation.

Authority and GDPR

Users may turn to local authorities if they believe you are processing their personal data in some improper way. Of course, it is necessary to work in a preventive manner — communicate with the user, exercise their rights in accordance with the regulation — but in the event of receiving a letter directly from an authority, it will be necessary to demonstrate both GDPR compliance overall and in the specific case involving the user. An outsourced DPO or privacy manager can help with such communication.

What Can an Outsourced DPO Help With?

• Training and knowledge support for the team
• DPIA for new processes/products
• Scheduled review/update of data protection documentation
• Interaction with users (responding to requests)/counterparties on privacy matters
• Interaction with clients (answering privacy questions)
• Interaction with supervisory authorities in the field of privacy
• Privacy consulting

So What Does GDPR Compliance Actually Look Like?

GDPR compliance is the story of the interaction of various stakeholders in a team within the framework of defined processes, in accordance with policies, with the aim of ensuring the protection and exercise of the rights of personal data subjects.

GDPR compliance is a privacy-first culture when building new products and caring for each user’s personal data as the greatest treasure.

GDPR compliance is when:

“Anton, as our DPO from Legal IT Group and CIPP/E, tell us — do we need to conduct a risk assessment if we start collecting our users’ DNA to send advertising into their dreams?”

“Of course, let’s arrange a Google Meet call today, say at 3 PM, and we’ll discuss the details.”

If you also want to arrange a Google Meet call with Anton regarding the initiation of your own privacy program to achieve GDPR compliance — just write here.

Legal IT Group will help your business comply with European data protection requirements. We will review current processes, prepare documents, and help build a system that works for compliance, not against it.