Author: Maili Torma

The date when the General Data Protection Regulation (GDPR) entered into force, May 25th, came and went with many companies still unsure about what needs to be done to be compliant with the GDPR. There are 5 steps a company needs to have taken or be taking now to ensure that they have achieved or are on the way achieving compliance with the GDPR.

1. Data mapping

The GDPR requires a company to know what personal data they process, to what purposes and on what legal grounds for that a company has to map their data processing. Defining and knowing a lawful base of processing is very important for a company to design proper tools to manage personal data. For example if any of the personal data processing is based on consent, a company needs to in place have a process in place how to ask, document and enable withdrawal of consent.

2. Data inventory

Article 30 of the GDPR also requires companies to document their personal data processing but putting together a data inventory is not only useful to achieve compliance with the GDPR it can also be a useful tool to map and record a company’s information assets. In addition to complying with the obligation to document the personal data processing, a well put together inventory helps to respond correctly to data subject requests about the data a company holds about them, identify which third parties data is sent to and if proper contracts are in place with these third parties.

3. Privacy notice on your website

Once a company has identified what personal data they process and documented it accordingly, they need to inform their clients, customers, website users, fans, members and the public of what, for what purposes, on what legal grounds and for how long they process personal data. Articles 13 and 14 contain the requirements as to what a privacy notice has to include.

4. Internal rules for personal data processing

While the privacy notice informs your clients and other external interested parties, a company also has an obligation to inform its employees of how their employees data is processed, the requirements of article 13 of the GDPR also apply to the information to be given to the employees.

In addition internal rules of work need to contain rules for employees how they must deal with personal data of clients, customers and other external parties.

5. Reviewing contracts with your service providers and partners

The GDPR sets a requirement that between the companies that transfer personal data between there needs to be a contract in place. The contracts need to define who is the controller and who is the processor, rights and responsibilities of each and also include instructions of the controller to the processor.

If you need further information or assistance on the any of the above, please feel free to contact our data protection specialist Maili Torma at