Recommended steps:

  • carry out a data mapping analysis
  • run an information / data protection / compliance gap audit regarding you current data processing procedures
  • it should include the review of existing privacy policies, information notices, technical and organisational measures, security measures, supplier arrangements and contracts, etc.
  • based on the audit, implement all necessary changes to your existing procedures and develop an internal data protection compliance system for future data processing



The General Data Protection Regulation (“GDPR“) introduces an accountability principle as one of the leading obligations for data controllers.

For this reason, after May 2018, the companies must be able to demonstrate compliance with all obligations pursuant to the GDPR.

The article deals with the first part of the procedure – an analysis of your current data and your current processes.


  1. An analysis of your current data – data mapping

In order to develop a proper data protection scheme, you firstly need to know, what type of data you have been processing.

For this reason, you may run a data mapping analysis.

Data mapping includes several steps:

  1. determine all categories of personal data you process
  2. determine any transfers or flows of personal data to, inside and from the company


The advantages of data mapping:

  • it helps you determine all locations in which you process personal data and makes it easier to determine what national legislations you are obliged to comply with
  • it helps you to determine if you transfer personal data to other countries; if you do so, there might be special rules for these transfers
  • it helps you to keep records of personal data you process
  • benefits for internal processes – efficiency, mitigation of risks, etc.


  1. Carry out an audit

Based on your data map / inventory, you may now carry out an audit of the compliance with data protection legislation.

The audit may include these activities:

  • determine if all grounds for personal data collection you used are still applicable under the GDPR, in particular consents, purposes of data collection, time limits, etc.
  • analyse your current privacy policies and ensure they support the transparency of your data processing and inform the users about their rights to object, access data, erase data, etc.
  • review your supplier arrangements and contracts and determine if they need to be updated based on new obligations under GDPR
  • review and implement all appropriate technical and organisational measures for data protection and data security
  • use services of an external data protection officer or a consultant to help you with ensuring the compliance
  • based on an audit, implement compliance instruments, such as data protection by design and by default, records of processing activities, data protection impact assessments, data protection officer, etc.



The information or data protection audit should help you get a better look at your personal data and data processing processes. It should also help you with a compliance with the obligations of the GDPR.


To determine the specific list of obligations for your company, you have to consult a data protection consultant or run a data protection audit.

In case of further questions, do not hesitate to contact us at: