Need GDPR guidance? 10 tips to stay compliant

The General Data Protection Regulation (GDPR) has revolutionised laws that protect ‘personal information’ and altered how businesses and public sector organisations can store and utilise data relating to their customers. Established companies have gone through a complex process of becoming compliant over the last 12-18 months. But what if you have just started a business, maybe GDPR guidance is what you need.

We have listed the top ten tips to become GDPR compliant.

  1. Data Mapping

Knowing how data moves within your organisation is the key to understanding how to protect it. Identifying where data comes from, the type of data, the reason for storing that data and how it is handled and processed will allow you to recognise areas where you could have compliance problems with GDPR.

  1. Consider GDPR compliance tools

There are many IT and software companies that can advise you on GDPR and provide data discovery tools, consent management systems, self-assessment toolkits and comprehensive data management platforms, which can help you for compliance.

  1. Privacy Policy

Your privacy policy needs to be up to date with GDPR, this is the first thing that people check when they look for GDPR breaches. Your privacy policy should clearly state the legal basis for processing data, retention periods, customers’ right to complain if data will be subject to automated decision making and customers’ rights under the GDPR.

  1. GDPR Training

Providing GDPR guidance and training to your staff is critical to achieve compliance and avoid breaches and the resulting penalties. Your employees need to understand the value of GDPR, the regulations and how to implement them in their day to day job. A lack of awareness from your employees could cause a breach of GDPR and cost your business an expensive fine.

  1. Consent procedures

Make sure that your website forms and any other registration form contain an opt-in checkbox where users can that clearly state their wish to receive marketing communications in the future.

  1. Data transfer and disclosure

If you work in a business where data is transferred to a third party, then you will need to be transparent about this. Moreover, your third-party data processors will need to ask for approval whenever they intend to transfer data outside the EU/EEA.

  1. Data Protection Impact Assessment (DPIA)

If you are managing data through a high-risk process, such as large-scale profiling, or you are managing sensitive data, such as biometric and genetic data, you need to conduct a DPIA. This should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals, and identify any additional measures to mitigate those risks.

  1. Legitimate Interest Assessment

Can you send your contacts communications? Under GDPR you can if there is consent or legitimate interest, this needs to be pursued in a way that complies with data protection and other laws.

  1. Designated GDPR Officer

If your organisation is involved in regular and systematic monitoring of data subjects on a large scale, or in processing sensitive personal data on a large scale, you will need to have an internal designated GDPR officer.

  1. Monitor and Audit

GDPR and privacy regulations are continuously evolving. It is important to be up to date on the latest requirements and how they will impact your operations. A GDPR guidance service can help you identify gaps and monitor various aspects of GDPR such as information security and incident response.


Covenco Recovery Services helps firms with the information security measures necessary for GDPR compliance. To find out more please click here.