12 Steps to become GDPR Compliant

Last Updated at: Dec 23, 2020
Narayana Health, headquartered in Bengaluru, has recently joined the TriNetX global health research network to help increase access to data that can drive innovation. TriNetX offers the fastest growing collaborative research network representing over 170 HCOs and health data partners in 30 countries.  It is a GDPR compliant platform that shares real-world data to make clinical onal research easier and more efficient.


It is important that an organization follow the GDPR regulations without fail. This is a regulation which mainly aims in protecting and maintaining your organization data. Entrepreneurs who have just started with their business must know about the steps to be followed to become a GDPR compliant organization or company.

The General data protection regulation is a compilation of 99 articles that deliver a complete explanation of the regulation. Each organization is different from each other, it is not possible to provide an exact remedy that will assure your organization in its compliance.

Browse through our articles on servies provided at Vakilsearch, and just let us know if we can help you with your company registration or tax filing or trademark registration.

A document is released by the Information Commissioner’s Office recommending 12 steps which should be taken to comply with GDPR compliance.

12 Steps to become GDPR Compliant

Ask a Free Legal advice

  1. Documenting the data: Make sure you document all the personal data that is in hold with you, and with whom do you share this data with. You need to establish an information audit to do this. A detail list of all the data which you possess has to be made and from which source it has been taken. It will be easy to process your data if it is separated into categories. And all the data that is available has to be processed legally. Re-consent of all the clients/ customers has to be taken to stock their data with you.  Contact with all your clients/customers for the diverse types of communication you will be sending them.
  2. Cookie policy: According to GDPR, if a cookie can find out an individual it is considered as processing of personal data. To comply with GDPR, your company Cookie policy needs to be adjusted accordingly. The clients / customers should be given an opportunity to opt-out by specifically stating what kind of cookies are on your website. This means that you will need to get the opt-in consent of the client/customers before providing them with the Analytics tracking script.
  3. Record of documents: Two different kinds of documents have to be maintain to record the consent of clients/customers. One document is to record who gave the consent and one document is to maintain who did not give the consent.
  4. Update the procedures: Check your procedures to ensure that you can accommodate the rights of individuals to be provided with their personal data in a commonly used format, and that you can delete their data on request. Update your procedures so you can handle those requests within the required timescales (usually one month)
  5. Consent of clients/customers: Make sure you store the data of clients/customers which is necessary to you that too with the consent of the clients/customers. If you have not obtained the consent of the clients/customers you will not stand a chance to store data.
  6. Data storage time duration: There is no specific time as to how long the data can be stored. It is said that it has to be stored for the shortest period that is possible. If the work has been done with the customer data, then it should be deleted immediately. If it is not deleted the customer should be informed that you have their data with you.
  7. Deletion of account: If an account is deleted, try to reach out to the person for consent if you can store their data or not. If they give their consent you can store their data or else, you need to delete their data.
  8. Data Breach: Make sure you have procedures in place to detect, report, and investigate a personal data breach.
  9. Data Protection Officer (DPO): Designate someone to take responsibility for data protection compliance. Appoint a Data Protection Officer if you don’t have one and make sure to inform your Users about it.
  10. Data retention: A data retention schedule has to be created in accordance to data destruction policy in order to periodically destroy the data which reaches the retention deadline.
  11. Encryption of records: Make sure your company’s desktops are encrypted, check and maintain a record of physical security of data such as paper filings, USB disks etc.
  12. Rights of the clients/customers: Through GDPR clients/customers have the right to get informed, right to elimination, right to modification, right of access, right to data portability, right to restrict the data processing, right to object, rights related to automated decision making and profiling. So, make sure your company comply with all these rights of the clients/customers.

It is obvious that business data is a critical element and it must be protected in the right way. Follow the above-mentioned steps so that your organization would be considered as GDPR complaint. The GDPR regulation ensures the security of customers information. You can also hire a professional who can look work on GDPR compliance.