All Collections
Compliance
GDPR: Where do I Start?
GDPR: Where do I Start?
Markindey Sineus avatar
Written by Markindey Sineus
Updated over a week ago

The following is a list of considerations and questions to help get you started on your GDPR journey. In addition, we have provided links to websites that provide policy and document templates that your organization may want to consider adopting for meeting the GDPR requirements.

  1. Start by evaluating where and how your company processes and stores Personal Data. Be sure to consider different Personas such as:

    1. Marketing and Sales Prospects

    2. Website Visitors

    3. Customers

    4. Employees

    5. Job Applicants

  2. What does your Legal counsel or Legal function look like today?

    1. Since GDPR is a Regulation, you’ll want to implement GDPR alongside your Legal function.

  3. Do you have a Data Protection Officer?

    1. You can find out more about the requirements of a DPO here https://gdpr.eu/data-protection-officer/

  4. Determine if your organization needs a EU Representative.

    1. https://gdpr.eu/article-27-representatives-of-controllers-not-in-union/

  5. Review or create your public-facing Privacy Policy which will govern how prospects and visitors use your website.

    1. Work with your Legal function to confirm this policy aligns with the GDPR.

    2. https://gdpr.eu/privacy-notice/

  6. Review or create your product Terms of Service and customer-facing Data Processing Agreement (DPA) to address Privacy with customers.

    1. https://gdpr.eu/data-processing-agreement/

  7. Create a vendor-facing DPA to get in place with your sub-processors, or ask your sub-processors for their DPA. Sub-processors are third-party vendors who will have access to Personal Data as part of your company’s service offering. The best place to start is to answer the question of ‘Where does our user data go as part of their use of the service?

  8. Complete two key Record of Processing Activity (ROPA) documents (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/)

    1. Core application and sub-processors involved in providing this application. This is more formal documentation that builds on the question in Step 7.

      1. Be sure to consider any processing of data considered sensitive by the GDPR. Processing sensitive data requires a few additional protections.

    2. Marketing and Sales operations:

      1. Where does someone’s data go when they sign up for a demo or contact your sales team?

      2. How do your sales and marketing teams input Personal Data into your CRM and how is it used?

      3. How do your sales teams respond when a prospect asks them to delete their data?

  9. Ensure you have a method for individuals to exercise their privacy rights, such as setting up and monitoring an email inbox at ‘privacy@[companyname].com.’ You’ll want to establish a process for handling data subject requests that come to this email, such as ‘Delete My Data.’ GDPR gives you 30 days to fulfill these requests.

  10. Use the Drata application to centrally track all activities, processes and documentation you’ve developed to comply with GDPR.

Below are additional websites for guidance on the regulation as well as documentation templates:

https://ec.europa.eu/info/law/law-topic/data-protection_en

https://gdpr-info.eu/

https://iapp.org/resources/topics/eu-gdpr/

https://gdpr.eu/

https://www.privacypolicies.com/

https://ico.org.uk/

NOTE: When adopting templates from the websites provided, you should always have your legal team review the documents you have created from the templates to ensure that documents are appropriate for your organization’s specific facts and circumstances. In addition, we cannot guarantee that the templates provided will meet specific requirements of the GDPR. This document should not be interpreted as legal advice.

Did this answer your question?