4 Steps To Becoming GDPR Compliant

The European Data Privacy Act has recently evolved into the General Data Protection Regulation (GDPR).

Following 4 years of deliberations, sittings and hearings at the European Parliament, the GDPR was finally approved in April 2016. The enforcement date of GDPR is 25, May 2018. As from this date, any organisation that is deemed non compliant will pay fines in the order of 4% of annual global turnover or €20 million, depending on which is greater. As at the time this article is published, all EU organisations and non-EU organisations with EU customers have about 11 months left to ensure compliance but most companies are still not clear on what to do to respond to this regulation.

What are the basic steps to becoming GDPR compliant?

There are 4 steps to becoming and staying GDPR compliant:

Auditing -> Remodeling -> Continuous Compliance -> Customer Innovation

Step 1: Audit


This is simply listing all the regulation areas of the GDPR and comparing the data in your organisation and the way data is used or processed in your organisation to what is required by the regulation. Auditing not only requires a technical look into the tables in your SQL databases, it also requires a deep dive into the way customer personal data is being used in your business processes. For instance, as a Bank Account Officer opening a current account for a new client, do I need to know how many kids my client has? In the past, this information would probably have been used to propose an adapted family insurance plan. GDPR however, states that any data collected must be used directly for the product or service for which it was intended. However, if ever you collect an indirect data, the customer has to give explicit consent for the indirect purpose for which the data has been collected.

Depending on how diverse the product and services channel of your organisation is, this step might take a long but necessary time.


Once non-compliant data and processes have been identified, the next obvious step is take appropriate steps to remodel the business processes involved in such a way that personal data collection and processing is done in a GDPR compliant way. GDPR classifies personal data into sensitive and non-sensitive personal data. Depending on the type of personal data, the data processing measures and regulations could be different. For example, explicit consent is required for processing sensitive data (much like a signed consent is required to stop supporting a coma patient at the hospital). However, for non-sensitive data, ambiguous consent is accepted by the GDPR.

Your objective in this step is to do an overhauling of your business processes and data in order to ensure GDPR compliance.

Continuous Compliance

After remodeling or reforms have been put in place to attain compliance, it is necessary to constantly audit the new system. If you have appointed a Data Processing Officer, his/her role will be to ensure that all internal or external data processing remain GDPR compliant. It is important to schedule unofficial or mock audits from time to time. The essence of this step is to quickly identify loopholes and take necessary measures. One important aspect of continuous compliance that has been emphasised by the GDPR is the Privacy by Design concept. That is, ensuring that a new customer-focused project (marketing, technical, commercial…) is GDPR compliant from the onset by having GDPR compliance metrics as part of its KPIs or success criteria.

In reality, this is step is more of a continuous activity rather than a milestone. The objective is to be compliant and remain compliant.

Customer Innovation

This step completes the compliance journey. It can only be carried out when existing processes and data processes are have been properly remodelled. This involves providing all the customer facing services mandated by GDPR. For example; allowing a customer to explicitly withdraw consent for Personal Data Processing, allowing your customers to exercise their rights to be forgotten, giving your customer access in readable format to ALL the personal data you have on him/her and putting up tools and processes allowing for a third-party personal data transfer initiated by a customer (Data Portability). Depending on the type of product or service you offer as an organisation, this means integrating a number of new tools and functionalities into existing customer portals or creating new ones entirely.

If done properly, this step will not only steer your organisation towards full compliance, it will also build trust and increase your customers’ confidence in the products and services you offer while securing a lasting relationship with your customers.


Of course, depending on the sector and your business context, there could be more steps. The steps described above are basic and are based solely on my personal opinion. Please feel free to comment below if you object or would like to add some more information and like and share so this information can get to everyone that needs it :). Thanks.

Click here for more information on GDPR




#ProductOwner #Entrepreneur #Intrapreneur #Innovator #ProductManager #Musicmaker Don't follow to unfollow

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Business People Seek Protection Against the Threat of Cyber Attacks

Person in black costume pointing at viewer.

How do I know the app does not upload my passwords to the cloud secretly?

The Anatomy Of A Crypto Scam

Stardust, Fuzzy Dice, and Privacy Algorithms

Fuzzy dice at a classic car show.

{UPDATE} Tangram · Hack Free Resources Generator

Final Update: PolkaCipher IDO and Listing Details

Phantom Protocol to Launch Public Token Offering on 7 Major Platforms with Whitelist Airdrop!


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


#ProductOwner #Entrepreneur #Intrapreneur #Innovator #ProductManager #Musicmaker Don't follow to unfollow

More from Medium

A Guide to Giving Sales Commissions : Business Big News

Get 3 months free with code   zendesk

My Bamboo Story? Because there is always a story behind any decision.

How to know what to prioritize when everything seems important — Susan Elford

Nothing Matters Until You Launch