June 20, 2023

How to Comply with GDPR (6 Essential Steps)


Data protection compliance is a gradual, step-by-step process. It may be tempting to start drafting a Privacy Policy or encrypting data to protect your business, but without a clear roadmap of effective procedures, your company is still at risk of being fined for poor data handling. Instead, consider the following action plan:

1. Undertake a Privacy Audit or Assessment

Review your business activities and procedures. Create a comprehensive map of your data usage and any records of processing activities. Make sure you include all departments that are engaged in data processing. This typically includes HR, recruiting, marketing, business intelligence, accounting, development teams and technical support. Mapping out your data allows you to assess the risks with your current data handling procedures and figure out new measures to address them best.

2. Introduce Data Protection Policies

Using the results from your data assessment, you can start drafting relevant data protection policies including security policies and a new set of procedures for answering data requests from your users. From a technical perspective, your new policies should provide each data operation with protective measures that prevent a data breach. These measures should also control access to the data, for example, implementing two-factor authentications to prevent unauthorised access. Where required you should encrypt and mask the data and use antivirus and firewall softwares to help you monitor any threats to your data security.

3. Set Up User-friendly Privacy Policy Guides

How you interact with users on your website or software application is important. You must ensure that you have a privacy policy, cookie policy, and user-friendly guides that explain how you handle your users’ data. Legal Nodes offers a Privacy Bundle, which is a standardised solution consisting of a Privacy Policy, Cookie Policy, and guidance on a privacy-friendly user interface. For B2B startups it also includes Data Processing Agreements to protect data of client companies.

4. Introduce Data Protection Training for Your Employees

Human error is the number one cause of personal data breaches, so start building a privacy culture in your company. Familiarise your employees with basic privacy concepts and train them to perform their duties in data protection compliance.

5. Set Up Data Processing Agreements

You must manage relationships with your partner companies that receive customer data from you and work with them using appropriate data protection agreements. Another important point is international transfers: if your partners or suppliers are located in another country, this will require additional contractual safeguards to ensure the proper handling of client data.

6. Get a Data Protection Officer

Last but not least: consider whether you need a Data Protection Officer, a professional that oversees data protection compliance within the company. This role can be performed both by an internal employee or an external contractor. Learn more about data protection officers in our article on Virtual DPOs.

Privacy compliance is not just about measures, it’s about the mindset of you and your company. If you treat your clients’ privacy as a company value, data protection can become your competitive advantage.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Explore our GDPR packages for startups

Get started

Vlad is Head of DPO Product @Legal Nodes and a certified (CIPP/E, CIPM, FIP) privacy specialist. He's currently doing a PhD study on the topic of AI and personal data protection.

Explore popular resources