Eight steps to get your firm GDPR compliant

The General Data Protection Regulation (GDPR) entered into force throughout the European Union on 25 May 2018 and will enter into force in July/August 2018 in Norway. All businesses that hold personal data that either directly or indirectly can be used to identify a person, need to follow the new regulation.

Even though you might feel your business is not ready for GDPR, there are some steps you can take and issues you can easily address to become compliant. The penalty for GDPR non-compliance is up to €20M, maximum 4% of annual global revenue of the organisation.


The aim of the GDPR is to protect citizens from privacy and data breaches.


Elin Mathisen, Partner in Berngaard/Sandbek, underlines: “Keep in mind that personal data comprises any information related to a physical person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. This means that even the smallest companies with a few employees and/or a few customers must implement GDPR in their organisation.”


Mathisen advises firms that are preparing for GDPR compliance and has prepared a GDPR compliance package with training particularly aimed at small and medium-sized companies. She says “Companies should first and foremost understand the basic principles of GDPR. Then involve every department in the organization, not only management and IT.”


Mathisen also points out that “It might be difficult and time consuming to navigate through all the GDPR-information available from the Data Protection Agencies. If you still haven’t got anyone to assist you in making your firm GDPR compliant, it could be useful to get help.”


Elin Mathisen lists eight main points for firms to note as they prepare for GDPR:


1. Become responsible

The Regulation includes provisions that promote responsibility, so we advise organisations to make an inventory of all the personal data they hold and examine it under the following questions:

  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long do you need to retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties, and on what basis might you do so?


2. Review personal privacy rights

Data subjects have several rights pertaining to the way organisations collect and hold their data. These include:

  • The right to be informed
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to access


3. Keep staff and customers informed

When collecting personal data from staff, customers or service users, you need to inform them about what kind of personal data you are collecting and their rights.


4. Learn about legal grounds

You need to have a lawful ground to process data.

There are six lawful grounds for processing data:

  • Consent
  • Necessary for the performance of a contract
  • Compliance with a legal obligation
  • Vital interests
  • A public task
  • Legitimate interests

Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping a valid consent. Even if you get a consent from an employee, it’s not necessarily accepted as a lawful ground. Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.


5. Be prepared to delete your data

The GDPR embodies a "right to erasure" in place of the "right to be forgotten" that already applies within the European Union. In specific situations, subjects can request that their details be removed from your database entirely. Make sure to have routines ready for completely removing subjects from your databases.


6. Plan for data breaches

One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery and provide them with as much detail as possible.


7.  Document your routines

It is important that you can document your compliance with GDPR. These are the documents you should consider preparing:

  • Records of processing activities
  • Privacy policy
  • Risk assessment
  • Data processing agreements
  • Routines


8. If you are a tech-company you also need to consider 

  • Privacy-by-design 

Organisations should adopt a privacy-by-design approach to data protection.


  • Data Protection Impact Assessment (DPIA).

DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.


If you have questions regarding these eight steps or need help to become GDPR compliant, please do not hesitate to contact us.