GDPR Guide
Step-by-step GDPR compliance for organizations — practical, actionable, and jargon-free.
This guide walks you through the key steps of GDPR compliance for small and medium-sized organizations. It is not legal advice — for your specific situation, consult a qualified data protection professional.
- 01
Appoint a Data Protection Officer
Determine whether your organization is legally required to appoint a DPO (Art. 37 GDPR). If not mandatory, consider an external DPO as a best-practice measure. The DPO must have expert knowledge of data protection law and be able to operate independently.
- 02
Create a Record of Processing Activities (RoPA)
Document all personal data processing activities in your organization (Art. 30 GDPR). For each activity: what data is processed, for what purpose, on what legal basis, by whom, for how long, and with which third parties.
- 03
Establish lawful bases for all processing
Every processing activity must have a valid lawful basis (Art. 6 GDPR): consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent is often not the best choice — it must be freely given and can be withdrawn.
- 04
Review and update your privacy notices
Your website privacy policy and all privacy notices must meet Art. 13/14 GDPR transparency requirements. This includes identifying the controller, DPO contact, legal bases, recipients, retention periods, and data subject rights.
- 05
Implement Technical and Organizational Measures (TOMs)
Document your security measures under Art. 32 GDPR: encryption in transit and at rest, access controls, backup procedures, device management, and staff training. TOMs must be proportionate to the risk of the processing.
- 06
Sign Data Processing Agreements (DPAs)
Any third-party service provider that processes personal data on your behalf is a "processor" under Art. 4(8) GDPR and requires a DPA (Art. 28 GDPR). This includes cloud providers, payroll systems, email marketing tools, and IT service providers.
- 07
Train your employees
Art. 39 GDPR requires regular data protection training and awareness-raising. All employees who handle personal data should understand their obligations. Training should be documented as evidence of compliance.
- 08
Handle data subject requests
Put in place a process for responding to data subject rights requests (Art. 15-22 GDPR): access, rectification, erasure, restriction, portability, and objection. The standard response deadline is one month.
- 09
Prepare for data breaches
Establish an incident response procedure. Personal data breaches must be reported to your supervisory authority within 72 hours (Art. 33 GDPR) if they pose a risk to individuals. Higher-risk breaches must also be communicated to affected individuals.
- 10
Maintain and update your compliance
GDPR compliance is not a one-time project. Review your RoPA, privacy notices, and TOMs regularly — and whenever you introduce new processing activities, tools, or business processes. The accountability principle (Art. 5(2)) requires ongoing documentation.
Need help implementing these steps?
AGIDAT supports organizations through every stage of GDPR compliance — from initial assessment to ongoing external DPO support.
Free initial consultation