The 3 most important things you need to account for in order to become GDPR compliant



The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation provides resistance and time has run out! After all, since May 25th 2018 the organisation had to be in accordance with GDPR.

This article describes the first three steps that every sensible CISO will take immediately. In our checklist we will discuss these three steps in more detail and will talk about the necessary follow-up steps.

GDPR is all about awareness

The legislator wants organisations to think about the processing (collecting, editing and documenting) of personal information. It does not matter whether we are talking about information about customers, leads or employees. In all cases we are dealing with personal information.

Within the GDPR the legislator therefore attaches a lot of value to reducing the amount of personal information as well as to map the potential risks. Next to this, measures to prevent data leaks,  verifying the effect of these measures and reducing the damage are important theme’s. Acting inaccurate or concealing incidents can lead to high fines.

We are talking about a data leak when sensitive personal information ends up in the wrong hands. In most cases, data leaks are the result of human errors without intent. For instance if someone sends a file to the wrong email address or shares sensitive information through a public service. The lack of a good privacy policy will intensify data leaks.

“The goal of GDPR is to create awareness on how to interact with personal information. We can see this in the fact that the legislator punishes not reporting a leak with a higher fine, than for the leak itself.” Erick van Veghel, CISO.

How do I start?

Start by putting together the right team. Nowadays, most organisations stock their information digital.  Many different systems and applications use this information and share it. The team that is going to advise your organisation on the new GDPR legislation has to have the right knowledge on board. Ideally, the core of your team exists of one legal expert, one privacy expert and one IT employee. In their work they will involve all the responsible managers and a specialist per department.

1. Acquiring understanding

Chu Chao, lawyer at HVG Law, advises starting with mapping your current data streams. Because there can be many data streams it is wise to start with the most important or most sensitive data streams. Here you need to ask questions like:

  • Which data do we collect, and where?
  • Where and how do we store this data?
  • Who receives or has access to this data?

This way you will get an understanding of the infrastructure and systems of your organisation.

2. Determining the impact on your organisation

Once you have mapped all the data streams of your company you need to mirror them to the GDPR by using a gap-analysis. In doing this you look at the current situation and compare it with the desired situation. This comparison will give you a set of measures that are necessary in order to fill up the gaps. In some cases there are existing policies that you just have to update. In other cases you need to start from scratch and create your own policies. It is sensible (but not always obligatory) since this based on a register.

Maintaining your processing register

If the company you are working for has 250 or more employees, you need to describe all changes of personal information in an internal register. If the organisation you are working for has less than 250 employees only a registration obligation is needed if:

  • Risky changes have occurred, for instance automatic profiling for targeted marketing or an automated rejection of health insurance.
  • An organisation processes sensitive information, for instance medical information.
  • An organisation processes a very great amount of information.

If you set up your processing register according to the regulations, you immediately comply with the registration obligation within the GDPR. The register can be managed in anything from a spreadsheet to a specialized software solution. The content of the register is bound by rules. Our checklist on GDPR compliance gives more detailed information on this matter. It should be clear that information in your register needs to be up-to-date and complete.

3. Creating and maintaining a policy

The processing register gives you an understanding of the processed personal information and obliges you to think about which personal information you are storing, why you are doing this and how you can protect this information. This is the foundation for the creation of an additional policy. According to Chu Chao, the reason the legislator does this is to make sure that we take privacy very seriously and are willing to think about which data we want to gather and store and why we want to do so. The term “data minimisation” is very important here. This means only storing the data that we really need with a minimal retention period. This is in strong contrast with how many organisations are working right know. Nowadays many companies have some kind of the following policy: “We store everything and as long as possible, you never know when you are going to need it”.  As a result of this, many companies see privacy as a burden. This illustrates the fact that we have gone a bit too far in the gathering of personal information. The GDPR corrects this.

Based on the register you will create a transparent privacy policy for both your clients (external) and your employees (internal). After this you make this policy accessible for all involved. This policy has a goal to inform those involved beforehand about the personal information that you have been gathering and to point them to their rights. At least, this document has to contain the following information:

  • The identity and contact information of the person responsible for the information. In most cases this is your company. If you have a privacy officer, the contact information of this person needs to be mentioned as well.
  • The goal of the processing of the information and the legal basis for this.
  • The third party that receives the information. If this party is located outside the European Economic Area (EEA) extra security measures need to have been taken in order to ensure the handover outside the EEA is permitted.
  • The retention period of the personal information.
  • Information concerning the rights of those involved, this includes:
  • The right to restricting, access, correction and deleting of the information.
  • The right of data portability, for instance to take along data from one organisation to another.
  • The possibility to retract processing permission, for example by using the opt-out function in an email.
  • The possibility to put in a complaint with the authorities.

An internal privacy policy also contains guidelines for employees concerning the use and security of sensitive personal information within the organisation. This internal privacy policy is often included in the employee handbook, which is included in the work contract. Besides this the internal privacy policy can often be found on the intranet of a company and is easy to consult for employees.

In order to make sure that all the employees will live up to the guidelines in the privacy policy, it is necessary that all the privacy rules are becoming part of their daily practice. Repeated training is needed for all employees that are dealing with personal information, not only the managers. If you make your colleagues aware of the privacy related risks in their work and combine this with easily accessible, user-friendly tools wherewith you can significantly decrease the risk of incidents, you have set a few huge steps towards an organisation that is fully GDPR compliant!

Checklist GDPR

We have described all the necessary steps you have to take in order to meet the GDPR legislation in our checklist. This document elaborates on things like creating a processors agreement, getting permission for processing personal information and security measures that have to be taken.

Written by
Picture of Francis Mustert

Francis Mustert

Francis studeerde Communicatiewetenschap aan de Universiteit van Amsterdam. Na haar stage bij Vodafone kreeg ze de smaak te pakken en startte zij haar Master Corporate Communication. Daarna ging zij in MKB aan de slag waar zij zelfstandig alle facetten van de marketing en communicatie opzette. Bij ZIVVER vindt ze de gedreven ondernemendheid aanstekelijk. Het meeste energie krijgt zij van kansen signaleren en ten volste benutten. Waarom? Omdat stilstand achteruitgang betekent. In haar vrije tijd staat Francis graag op het volleybalveld, maar geniet ook van de derde helft. Daarnaast maakt ze graag één keer per jaar een mooie reis.

Originally published on June 29, 2018

Last update on December 12, 2019