GDPR compliance and GDPR implementation: what is the algorithm?

GDPR Compliance: From theory to practice

GDPR has become a real challenge for businesses. Companies often ask: ‘What is the GDPR and what documents do I need to prepare to fulfil its requirements? Will a website’s Privacy Policy be enough to become compliant?’

But the answer is obviously no. GDPR compliance is not about formalities, but about real processes. It is not a one-time action, but a continuous cycle of adaptation, cooperation, and implementation of solutions that really work. Policies alone do not change anything – it is important that they are implemented in practice.

That is why GDPR compliance is not just a set of rules or documents. It is a living system that integrates into business processes and changes the approach to working with personal data. It is a culture of privacy first, where the protection of user information is not just a requirement, but a standard of thinking.

So what does real GDPR compliance look like? Let’s find out.

The most popular question: Is there a standardised package of documents for GDPR compliance?

The simple answer is no. Every business is unique, as are its processes. For one company, an Excel spreadsheet is enough to keep track of data, while another uses complex algorithms to predict user behaviour. Therefore, simply copying documents from another website is not only inefficient, but also unfair to your own customers.

As one cult film said: ‘Respect your customer’. You wouldn’t force your users to agree to the processing of their personal data in accordance with a template document that doesn’t even take into account the specifics of your business, would you?

What to do? The answer is the same as Morpheus: ‘Not where, but when’. And if this moment has come, you should start with a GDPR audit.

GDPR implementation algorithm

Let’s take a closer look at each stage:

STEP 1 – GDPR audit

A GDPR audit is a fundamental stage that determines the extent to which a company complies with the regulations on personal data processing. Its key result is the creation of a personal data flow map and the preparation of a gap assessment, which outlines the gap between the company’s current business processes and the GDPR requirements.

An audit helps to understand whether a company is subject to the GDPR and what measures need to be implemented to comply. The requirements for different companies vary depending on their jurisdiction, data processing scope and specifics of their business. Therefore, it is impossible to effectively implement GDPR compliance without a quality audit.

STEP 2 – GDPR plan

The next step is to develop a strategy and identify clear steps to achieve GDPR compliance. Based on the gap assessment created as a result of the audit, specific steps to achieve GDPR compliance are planned.

Specific documents:

• Compliance Project Initiation Document – in this document we initiate preparations for the implementation of the GDPR.
• Preparation Project Plan – a detailed action plan for the implementation of the GDPR in the company.
• Gap Assessment (in the result of audit) – an assessment of the ‘gap’ between how personal data is currently processed and what needs to be changed to bring processes into compliance with the GDPR.
• Compliance Evidence
• Internal Audit Procedure – the terms of a time-to-time audit to assess and reassess the state of affairs under the GDPR.

It is worth noting here that GDPR compliance may differ depending on the specifics of a company’s business. For example, the requirements for outsourcing companies and adtech platforms have their own nuances, as each area of activity involves unique approaches to personal data processing. More information on how industry specifics affect the preparation of a roadmap for GDPR compliance can be found here. (development of niche practices)

The purpose of preparing the plan is to identify specific steps (roadmap) that a company needs to follow to bring its operations into GDPR compliance.

STEP 3 – Internal GDPR compliance

The following sets of documents can be distinguished, which are typical for internal GDPR compliance:

Data collection and data transfer control – Determine how and on what basis personal data is collected, how long it is stored, and what data operations are performed.

Typical documents:

• Personal Data Mapping Procedure – We describe the principles of mapping the movement of personal data and the legal facts that need to be settled as part of the data transfer/processing/enrichment.
• Annex A1. Personal Data Capture Form (users as data subjects)
• Annex A2. Personal Data Capture Form (employees as data subjects)
• Annex B. Records of Processing Activities
• Records Retention and Protection Policy

Roles and responsibilities – Define the roles of each employee/founder of the Company in the processing of personal data, establish the level of access, the need for training

Specific documents:

• Roles and Responsibilities Policy – indicate which tasks will be delegated to the involved persons within the company

• Competence Development Procedure – describe the procedures and necessary conditions for improving the competence of internal stakeholders within the company.
• Information Security Awareness Training (ENG / UKR) – additional training on information security is possible.
• Handbook for Employee is a super book. Of course, this is not exactly a book, but rather a guide for an employee, which indicates the key aspects of working with the company’s personal data and specifically his or her role in this process.
• Access Control Policy is a document that explains where someone can look, and where it is forbidden to look, and why. After all, the fewer people who know a secret, the more secure it is.

! Company employees and GDPR – Some employees are more actively involved in the processing of personal data, and some are not involved at all. At the same time, employees who have been trained on the GDPR and explained in clear language how the company is in compliance with the GDPR and how it takes care of personal data can pass the privacy first culture through themselves and carry it on, thus increasing trust in the company. It’s also good for HR branding! Ask your HRD and PR person. 

DPIA & DPO – Determining whether a DPIA is necessary and appointing a DPO.

Typical documents:

Specific documents:

• DPIA necessity report – a document designed to determine whether an organisation needs data protection.
• DPIA Procedure
• DPIA Report
• DPO necessity report – determine whether a DPO is needed and why

Security of personal data – Determine the information security regime in the company.

Typical documents:

• Information Security Policy is one of the most serious documents in an organisation. According to legend, it must be approved by a strict uncle with a moustache and thick fingers, but this is not the case. But it defines the measures necessary for the company’s information security.
• Information Security Incident Response Procedure

Personal Data Breach Procedure – Determining the algorithm of actions in case of a personal data leak (Data breach)

Typical documents:

• Personal Data Breach Notification Procedure – in the event of a data breach, the company is obliged to notify about it. This is a requirement. Therefore, you need to be prepared, have a procedure and know what to do.
• Personal Data Breach Notification Form
• Personal Data Breach Register

STEP 4 – Regulate relations with users

Privacy policy documents – We prepare documents for users – policies, consents to the processing of personal data and tell users about their rights in simple language.

Typical documents:

• International Transfer Procedure – it happens that a company is in Ukraine, the data is European, and the processor is in the United States. What to do? Have a policy.

• Privacy Policy is probably the main document in the context of user relations. It should explain to users how, why, and where we can process their personal data in a clear language and in a friendly manner.
• Privacy Notice Procedure – here we describe how we notify and take care of the processing of our users’ personal data.
• Cookies Policy – a policy about cookies. We have to tell you what cookies we put on the user’s device, how we follow them and learn their secrets and desires.
• Consent form – a document by which a user expresses his or her consent to the processing of personal data, for example, when registering on a website.
• Cookies Consent Form – you’ve seen this document for sure. Almost every website has it. Like, ‘Hi, we’re having fun with cookies here, okay?’

Rights of data subjects – We define procedures and forms for exercising the rights of personal data subjects and keeping records of requests

Specific documents:

• Request and Complaints Procedure
• Request and Complaints Form
• Request and Complaints Register – we have to register who exactly has contacted us with requests to delete data, for example. But here’s the question – how do you register the request of someone who has requested the deletion of information? In this case, we have only a little information, and it is better to keep it classified and pseudonymised and hidden at the bottom of the sea.

! It’s worth remembering that users can contact not only your company, but also local authorities if they believe that you are processing their personal data inappropriately. 

Of course, you need to work in a preventive manner – communicate with the user, exercise their rights in accordance with the regulations, but if you receive a letter directly from the authority, you will need to demonstrate both GDPR compliance in general and in a specific case with the user. An outsourced DPO or privacy manager will help with this communication!

STEP 5 – Regulate relations with contractors

Data transfer policies & Data processing agreements – Determine the requirements for the company’s counterparties to be able to transfer personal data and prepare the agreements necessary for such transfer.

Specific documents:

• Supplier Assessment Procedure – we can’t share data with just anyone, so we have to shortlist our contractors. They must also meet our most stringent requirements.
• Controller-Processor Agreement Policy
• The Data Processing Agreement (controller / controller) is the most important document we can sign with our partners. Here we define the scope of the information to be transferred, the conditions for working with it, and so on.

In order to transfer data to contractors, you first need to assess whether they are GDPR-compliant. In which jurisdiction they are registered, whether it is legal to transfer data there at all. What role will a particular contractor play – controller or processor, and possibly a co-controller. Appropriate procedures and contracts are used to manage relationships with contractors/partners regarding personal data. When they are developed and understood, and, for example, the Head of Legal makes an agreement with a new contractor, the coordination of privacy issues should not become an obstacle to cooperation.  

STEP 6 – Demonstrate GDPR compliance

We create a map of personal data flows, explaining the legal aspects of each stage of the movement of such data within the company’s business processes. We also create a presentation that demonstrates GDPR compliance.

Specific documents:

• Data Flow Diagram – the most important document that shows the movement of personal data within our company
• Initial Mapping – an initial sketch of the data flow map. We can update this document as we create new business processes
• Compliance Data Mapping – here we attach specific legal grounds to our map. For example, consent allows us to use data in our work. The scope of consent determines what we can do with it further. The next step may be to transfer this data to the cloud in accordance with the DPA.
• Evidence of Compliance presentation – everyone loves slides. And these slides are magical. This presentation explains the whole essence of GDPR compliance in accordance with the documents that the company has prepared to work with personal data. It’s nice, on letterhead and to the point. 

Conclusions

Most GDPR documents are prepared in English, but those intended for public access, such as the Privacy Policy, should be translated into the language of the country where the company operates. However, correct execution alone is not enough. Policies and agreements need to be constantly reviewed and updated as business processes change, new forms of personal data processing emerge, and users provide new consents.

Some documents, such as the initial GDPR plan, may seem static, but in practice, they also change as the company grows. GDPR compliance is a continuous process that starts with an audit but never ends. It’s a daily job that makes the company stronger and helps customers manage their personal data effectively.

Moreover, implementing a real, working GDPR can be a competitive advantage. Companies that demonstrate a responsible attitude to data protection will win in the long run, as transparency and data security are what modern consumers expect.

To assess your company’s level of GDPR compliance readiness, we suggest using the checklist below. And if you need help, fill out our GDPR questionnaire and we will help you make this process as efficient as possible.

Checklist

1. Does your company process personal data?

Personal data is any information that can identify a person:

• customer phone numbers
• IP addresses
• cookies
• other data that may be considered personal

2. Does the GDPR apply to your company?

The GDPR applies to companies if:

• it is registered in the EU and processes data of EU individuals
• it is registered in the EU and processes data of individuals from other countries
• it is based outside the EU but processes personal data of EU individuals

To determine whether your activities are targeted at the EU market, consider

• availability of the website in EU languages
• the possibility of payment in euros
• domain registration in the EU
• delivery of goods or services to EU countries

3. Does the company process sensitive personal data?

Special categories of data include:

• race or ethnicity
• Political opinions
• Religious beliefs
• health, biometric and genetic data
• data on criminal convictions
• etc.

Such data requires enhanced protection and special grounds for processing.

4. Are the requirements of national law taken into account?

Each EU country may have additional requirements. 

5. Are personal data transferred to third countries?

Data may be transferred outside the EU only if

• an adequacy decision
• the use of standard contractual clauses (SCCs) 
• implementation of corporate data protection rules (BCRs)
• explicit consent of the data subject

6. What role does the company play in the data processing process?

Your company is:

• Controller – determines the purposes and means of data processing
• Processor – processes data on the controller’s instructions

Depending on the role, the company’s responsibilities and obligations will differ.

7. Does your company need a Data Protection Officer (DPO)?

A DPO is required if:

• the company is a government agency
• the company processes large amounts of personal data
• the company processes sensitive data
• etc.

The DPO is responsible for monitoring compliance with the GDPR and communicating with regulators.For detailed explanations, an extended checklist and a clear understanding of the next steps, we invite you to read the full article by the link.