Privacy (GDPR)

11 simple (but complete) steps towards the GDPR compliance in 2020

The General Data Protection Regulation (GDPR) is a Regulation issued by the European Union and formally came into force on 25th May, 2018. In the UK, the GDPR was implemented by the Data Protection Act of 2018, which replaced the existing UK Data Protection Act (DPA) of 1998.   

What is the aim of GDPR

The aim of GDPR is to provide even stronger rights to individuals in dealing with organisations that hold their data. Personal data is defined as anything that relates to a natural person – a living human being. It will include names, identifiers, biometric data, images, and any IP/Internet related data. 

There is also a new category of sensitive personal data. This includes; political, religious, Trades Union, philosophical, health and sexual aspects. 

The individuals are provided with a system of rights to ensure control over their data. One of such examples can be the ‘Right to be Forgotten’ – that is, that their data, upon request can be permanently deleted. 

The ‘Right to be Forgotten’ is not an absolute right, but will be allowable in many circumstances. In addition, the Data Subject – the person whose personal data is held - has the following rights:

  1. Enhanced right to information and transparency;
  2. Right of access and rectification;
  3.  Right to object against the processing for marketing purposes;
  4. Right to restriction;
  5.  Right to data portability.  

data subject rights

Some of the larger companies have significant problems as they have added products and services over many years, using discrete and individual systems in silos to capture customer details. They may have also grown their businesses through acquisition (inheriting different systems) and this has resulted in bi-furcated views of their customers. 

Hence many cannot easily obtain a ‘Single Customer View’. This is particularly the case within Financial Services. 

What does an organisation need for the GDPR compliance?  

The analogy I like to use is that of obtaining a driving licence. You always need to start off by first learning how to drive. The better you can drive, the easier it is to pass the test. 

Equally, no amount of learning the Highway Code in itself will enable you to pass. In the same way, the more efficient you are with the handling of your data – knowing where it is, making it secure, avoiding duplication and having transparent and simple processes will greatly assist with compliance. 

So what can be done to ensure compliance and accrue the business benefits in so doing?  Well, there are a number of steps that can be taken right now. 

The GDPR compliance roadmap:

Step One – Do I process any personal data?

First of all, you need to establish if you do in fact process any personal data. As stated, this is defined as any information relating to an identifiable natural person. 

If you do not capture any of this information then you will not be affected. If you look at this closer, however, you are likely to reveal that you process personal details of your employees, customers, shareholders or any other affected individuals. Thus, avoiding the processing of personal data is rather unlikely.

Step Two – Are we the Controller of Processor – or both

The second step is to decide if you are acting as Controller or Processor. 

This is of particular concern if you are sending data outside of the EU for processing, see below. Outsourcing of the payroll to the accountants is another example. 

The controller is the organisation that determines the purposes and means of processing personal data and the processor is responsible for processing personal data on behalf of the former. 

The example of the controller can be a website owner that collects data through a contact form, whereas the processor will be a CRM provider, whose CRM is connected for handling the contact details.

Step Three – Undertake an Audit

The third step is to undertake an audit of all personal data held. This can be achieved by the completion of a Data Inventory that details both the processing and the storage of data. 

You will need to produce a matrix of who does what to which data, why and how and at which frequency.  The use of Data Mapping, a technique to understand and document the flows of data within and without the organisation is essential. 

data mapping

Step Four – Is any processing outside of the EU?

You will also need to ascertain whether any data is processed on your behalf outside of the EU – by a processor, on your behalf. If so, you will need to look at the contracts and ensure that the processes and procedures are GDPR compliant. 

Step Five – Produce a Gap Analysis

From the Data Inventory and with a full understanding of what personal data is held, the fifth step is to produce Gap and Risk Analysis. This will establish what needs to be done and help with prioritisation by factoring in the risk. 

Step Six – Education, Training and Communications

The sixth step is to ensure that your staff are educated about the GDPR. The Regulation is all about putting data protection awareness at the centre of an organisation. There is plenty of material on the web, especially that published by the ICO (a UK’s data protection authority). 

Step Seven – Handling Requests from Data Subjects

The seventh step is to make sure that you are aware of and ready to comply with the data subject rights as described above. These are to have in place a process to handle Subject Access Requests or any other interaction with regard to personal data.

Step Eight – Anonymisation and Pseudonymisation of data 

The eight step is to see if you can anonymise or pseudonymise the persona data to reduce the risk of a data loss. Anonymisation is the most secure. This involves storing data into a form that does not identify individuals. 

Pseudonymisation is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. This greatly reduces the risk of data loss or exposure. 

anonymized and pseudonimized data

Step Nine – Implement the appropriate governance

The Ninth Step is to put in place the right governance. The data governance must ensure that the work that you have undertaken to achieve compliance is maintained and that future proposed changes include Data Protection by Design and Data and Protection Impact Assessments to account for and assess the risk to personal data.

Step Ten – Ongoing audits 

Finally, ensure that you undertake audits to provide evidence that you are maintaining vigilance, take into account the decisions that will be published by the ICO on the subject and look at their Guidance Notice. 

Also, investigate some of the software that already exists and is being developed to help you with granular level GDPR data identification. All of this will provide evidence that you are putting the Data Subject’s rights at the top of your priorities. 

Step Eleven – A Risk-based Approach

At all times think about the exercise from a risk perspective. This will help to utilise resources most effectively, especially as these will tend to be limited. 

In Conclusion

In conclusion, GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies accrue but being able to state with confidence that you are GDPR compliant will give you an edge over your competitors. 

Hayes Associates Limited has been providing consultancy in Business Process Analysis, Project Management, Information Management & Governance, Data Protection and latterly GDPR to SMEs and international organisations since 1988. We have developed an effective and efficient approach to ensuring compliance.


Disclaimer: information in this article is provided for informational purposes only. You should not construe any such information as legal, business, tax, investment, trading, financial, or other advice.

Thomas Hayes,


Need a lawyer in this area?



United Kingdom

9 years in information management and data protection

Tom has managed large Information departments and specialised in Information Management...

Legal Nodes Blog

Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills
Privacy (GDPR)
Privacy Policy: Everything you need to know

Privacy Policy (or Privacy Notice) is a public legal statement of the company. It explains how the organisation uses information about its users, customers, or employees....

Legal Nodes Team