10 Steps to GDPR

10 Steps to GDPR

Author Gary Hibberd

The General Data Protection Regulations (GDPR) is a dramatic shake-up of data protection laws that affects European and UK citizens and comes into force on May 25th 2018.

In less than a year how you collect, store, share and erase the Personal information you hold on individuals will change. Are you ready for it? So how do you start the process of becoming GDPR compliant? What are the first steps you need to take?

Follow this simple 10 step guide to achieve your GDPR.

Step 1


Senior management need to be behind the decision for GDPR. There is definite value in communicating this internally, it enforces the company’s aspiration to pursue best practice.

What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business growth.

Step 2

Appoint a DPO

Someone needs to be assigned the role of ‘Data Protection Officer’ within your organisation. Article 37 of the Regulations provides guidance on the designation of the role

The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

The DPO is a critical role within your organisation and will provide support and guidance related to all matters of data protection and information security best practices. The skills and qualifications required are not to be underestimated, with the ICO themselves stating that this will soon become a whole new professional service in the years to come.

What is needed? An impartial, experienced, qualified person.

Step 3

Assign a Project leader

The company appoints a responsible and knowledgeable manager to run the programme and implementation. This person will become the company’s GDPR specialist, understanding the controls and milestones needed.

What is needed? Selection of the right individual with a specific job description and knowledge of Data Protection and GDPR requirements. Someone impartial who is not actively not involved in the process of data processing/operation.

Step 4

Gap Analysis and Risk Assessment

You need to start to understand just how close to compliant you are. Performing a Gap Analysis requires your project leader to understand the new Regulations but also what is required to address the gap. The Gap Analysis should consider all the Principles and ‘Articles’ of the Regulation and seek to understand what you need to do to close any gaps.

What is needed? The gap analysis all in scope PII, people, processes and technology performed by a qualified auditor. Understanding the maturity of controls and risk profile.

Step 5

Scope & Implementation Plan / What is PII?

The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational boundaries. ‘Personal Identifiable Information’ (PII) is defined. Important milestones, time requirements, dates for any pre assessment and staged audits are set.

What is needed? A step by step concise guide to explain the GDPR process in sufficient detail.

Step 6

Employee Introduction

It is important to engage with employees from the beginning to ensure they buy in to the GDPR process and respond appropriately. It also helps them to understand the individual, company and client benefits.

What is needed? A short and easy-to-understand  GDPR briefing that focuses on how employees are affected and their role in the successful implementation.

Step 7

Data Inventory

Develop a Data Inventory that details what you hold, where it is held, who has access to it, why you need it and when it will need to be erased. If you don’t know what you have – how can you protect it?

What is needed? An inventory of the Personal Identifiable Information in your organisation.

Step 8

Create a ‘Data Flow’ Map

In order to ensure you capture the Personal Identifiable Information in your organisation you should develop a ‘Data Flow Map’.

What is needed? A map that shows how the Personal Identifiable Information in your organisationdata is collected, held, transferred and erased.

Step 9

Develop a ‘Data Breach Process’

If you don’t already have a ‘Cyber Security Incident Response Plan’, then now’s the time to develop one and ensure it incorporates requirements set out by the new Regulations (e.g notifying Subjects who have been impacted and soon as practicable and the ICO within 72hrs).

What is needed?  A detailed cyber security incident response plan with appropriate contractual Service Level Agreements.

Step 10 

On Going Management

Compliance is not just a project but is an ongoing process of continual improvment.

What is needed? Continuing management of the process.


There is a lot of work to do. Or is there? It’s very difficult to tell unless you take a close look at your organisation now. We have a saying in Agenci

You can’t protect what you don’t understand.

The new Regulations places data subjects (you and I) at its core. They are expecting organisation who hold PII in all its forms to take responsibility and accountability for the protection of the data they hold.

Personally, I think it’s long overdue. Professionally, I’m intrigued to see how this will play out.


Agenci is responsible for protecting businesses from cyber threats, cyber-attack, internal threats and business outages. Agenci are committed to helping business prepare for the GDPR and for putting in controls (such as ISO 27001) to prevent data breaches and cyber incidents occurring.

Speak to a member of the team now on

03455 760 999

We would love to help you, ask for Gary:



10 steps to GDPR