6 Steps to Prepare for General Data Protection Regulation (GDPR)

Here’s an important question to ask yourself… is your organisation dealing with information that belongs to EU residents? If the answer is ‘yes’, then new General Data Protection Regulation, GDPR will apply to you. It’s important that you act now, if you haven’t already.

On 25 May 2018 the General Data Protection Regulation (GDPR) will become enforceable.

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

This will affect every organisation that processes the personal data of European Union residents, including:

  • Every employer in the European Union
  • All organisations that offer goods or services to individuals in the European Union or that monitor the behavior of individuals – this includes organizations with no presence in the European Union
  • All data processors that process the personal data of European Union individuals

If your organisation is in breach of the Regulation, you can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

The steps that you need to take to ensure compliance will be specific to your organisation, however you should start by following these 6 steps to prepare for the implementation of the GDPR*:

1. Appoint a Data Protection Officer (DPO)

Some organisations will have to appoint Data Protection Officers (DPO).

Even if you are not required to appoint a DPO, you may still need to bring someone on board to manage GDPR compliance.

2. Carry out data mapping

Data mapping involves mapping out all the organizations’ data processing activities, to get a full understanding of where the data flows.

This will allow you to come up with the most effective way to protect the information and reduce privacy-related risks.

3. Prioritise compliance actions

Determine the actions that will need to be implemented for each of your organizations’ data processing activities. Make sure that only strictly necessary personal data is collected and processed and that the legal basis for the data processing is determined.

To handle data subjects’ requests, your organisation will need to have a process in place. Under the GDPR, it is the organisation and not the consumer that must prove that they have a legal basis for retaining control of or access to the ‘data subjects’ data. If you refuse to relinquish data subjects’ data, then you are obliged to communicate why.

Ensure that privacy clauses are added to service agreements that you have with vendors/data processors, so that they are aware of the new obligations and responsibilities under the GDPR.

4. Manage the risks by conducting impact assessments

ESPC call for speakers 2024
You will need to carry out a Privacy Impact Assessment (“PIA”) for each data processing activity that may pose high risks to the rights and freedoms of data subjects.

A PIA is an evaluation of the proposed processing of personal data. If your organisation is processing personal data that is likely to result in a high risk to the data subject’s rights, a PIA must be carried out prior to commencing that processing. For a number of organisations, a PIA will be compulsory.

It is important to put in place measures to quickly respond to the main risks and threats to data subjects’ privacy.

5. Organise internal processes to ensure data protection at any time

Your organisation needs to anticipate data breaches and how to respond to incidents.

Procedures must be implemented internally, to guarantee data protection at all times, while taking into consideration all events that may occur during the lifetime of a data processing activity.

6. Document all compliance measures to prove organisation’s compliance at any time

Finally, you must collate all necessary documentation together. The actions and documents produced at each step must be regularly reviewed and updated to ensure data protection continues to be maintained.

FlowForma is revolutionizing the traditional BPM space with an innovative approach to developing BPM products that empower users to create and streamline processes, utilizing the SharePoint platform, without any coding.

Some of the processes that you can build using FlowForma BPM, to help facilitate GDPR compliance include:

  • Privacy Impact Assessment process
  • Personal data request process
  • Personal data security breach process

For more information, see www.flowforma.com or visit Stand 3 at the European SharePoint, Office 365 & Azure Conference 2017.


Shanley, D. (2017). 6 Steps to Prepare for General Data Protection Regulation. [online] Flowforma.com. Available at: http://www.flowforma.com/blog/6-steps-to-prepare-for-general-data-protection-regulation [Accessed 20 Oct. 2017].


Check out the GDPR Resource Centre for an array of helpful content

Share this on...

Rate this Post: