Knowledge that creates value for you
Easily achieve compliance with GDPR.
There’s no need to pay costly lessons when you can stand on the shoulders of others' experience.
Practical data protection is an increasingly established discipline that we have had the pleasure of practicing for many years.
To help guide you in the best possible way, we have assembled a classic implementation process in the boxes below
If you have any questions about the individual steps, feel free to contact us – it’s free of charge.
GDPR implementation in practice
Management commitment is crucial for GDPR compliance, as it ensures that data protection is prioritized strategically and integrated into the company’s core processes.
When management leads by example, employee awareness and engagement increase, and a culture of data protection is established. Management allocates the necessary resources for compliance, such as training and technology, and ensures the proper implementation of policies.
Additionally, management’s support enables continuous monitoring and improvement, as well as effective risk management and response to data breaches, which helps avoid fines and reputational damage.
One of the key prerequisites for effective implementation and compliance with GDPR is a shared understanding of risk.
It is fundamentally important that everyone in the organization understands that GDPR is about protecting the rights of citizens to live as freely as possible.
GDPR is, for example, about the risk of being taxed incorrectly because income or property information is wrong. It’s also about the risk of sitting in a queue at the road tolls on the Great Belt Bridge because your payment hasn't been registered.
And of course, GDPR is also about the risk of being passed over for a job because it becomes known that you are soon to become a parent.
GDPR is one of those tasks where resource consumption can spiral out of control if it is not managed from the start.
If you want to quickly complete the implementation and move into the easier operational phase, the recommendation is clear: Allocate the necessary resources at the outset to gain an overview of the entire implementation process and related resource requirements.
If everything has gone according to plan, you now have management's support for the GDPR effort and a shared understanding that it is about protecting people's rights by handling their personal data responsibly.
The next step will be to gain an overview of your organization from a GDPR perspective, so you can filter out tasks that are not relevant and focus on what is necessary.
GDPR is essentially about the management of information about other people.
Therefore, it is important to focus on the management of the information, expressed as processes.
This could include processes such as 'handling job applications,' 'conducting sick leave interviews,' or any other activities you carry out as part of your operations.
It is rare for a single person to possess all the knowledge about the processes in which you manage information about others.
We therefore recommend that you involve those of your colleagues who are most familiar with the individual workflows. They are important allies in the ongoing work of defining the scope of the GDPR tasks.
You are now well on your way to handle the GDPR work within your organisation.
The management is on board, the understanding of risks is consistent, sufficient resources have been allocated, and in collaboration with your colleagues, you have gained insight into the processes where you manage information about other people.
The next step is now to examine which tools are used in the organization to handle personal data.
We recommend that you start with the individual activities and speak with your colleagues about which IT systems, folder structures, and possibly physical media they use in their daily work.
It should be noted that it will rarely be sufficient to just talk to IT about this. This is because IT usually does not have a complete picture of which systems are actually being used within the organization.
Your work is now progressing faster and faster. The processes, personnel, and systems are under control.
The next step is to clarify which hardware is being used. In this context, it is important to think broadly, outside the box, and so on.
Most people naturally use the equipment provided by their workplace, but it does occasionally happen that personal devices are used.
We therefore recommend striving for an open, honest, and unbiased discussion about which equipment is actually being used.
The dialogue has been productive. Colleagues have shared extensively about the systems and hardware they use in their daily work. This is perfect, as the next step is to identify the organization's data controllers.
Building on the above, it is essentially a matter of routine work to note which external organisations are involved in the organization's handling of other people's information.
The next step would be to investigate whether there are data processing agreements in place with all of them.
"Safety first," as they say. It just doesn't hold up in practice.
Before implementing security measures, it is important to assess what is actually needed. What you want to know is whether the way the organisation manages other people's information presents risks to those individuals. For example, it could be a lack of management commitment, leading to the protection of the data subjects not being prioritized. It could also be that the organisation is so busy that there is no time to ensure that information is always sent to the correct recipient.
No matter where the issue lies, it must be documented so that it can be included in the mapping of the GDPR work.
Congratulations! You are now at the final step of the implementation process.
This is where the top management is presented with the mapping of the organization's management of other people's personal data, and most importantly, this is where top management steps in and decides whether the identified risks should be accepted or mitigated.
If there are risks that need to be addressed, there will naturally be follow-up actions for their specific management. This could include, for example, adding the correct privacy policies to the website, implementing a lawful cookie banner, or drafting common guidelines for the management of personal data.
The implementation is finished. You now have a clear and, most importantly, accurate overview of the organisation's management of personal data.
The fact is, however, that the otherwise clear and accurate picture will lose its value over time if it is not maintained to remain accurate on its own.
The ongoing work of maintaining an accurate picture and continuously reporting and managing the risks that arise can be best compared to training for a marathon. The longer the gap between each training session, the harder the next one becomes.
We therefore recommend that a plan be made for the ongoing maintenance and that the work be carried out collectively.
English (UK) 
Dansk