GDPR Roadmap

Just like climbing any other mountain, we take one step at a time – and make sure to take the fastest, safest, route.

Navigate this roadmap

  1. Data-mapping
  2. Documentation
  3. Governance and SOP:s
  4. Educate your team
  5. Risk-based continuous improvement



roadmap steps

Having trouble getting started – or feel like starting over?

You’ve come to the right place! Our vision is to help as many organizations as possible and the most painful thing we know is the calls we get where someone is struggling because they got off to a bad start.

Still confused or have better things to do? We’d honestly prefer you do this yourself (long term the best results) but we are here to help, as much as you want us to. Send us an email and we’ll set things up!

1. Data mapping

Ah, yes, the dreaded data-mapping…

… but let’s get this straight from the start (tough love): If you don’t properly find out and start by documenting what you are doing, how do you imagine the following steps will look? Don’t spend resources creating documentation based on imaginary processings, you will have to do it all over again later (“If you don’t have time to do it right the first time, how will you ever have time to do it over.“).
Done properly, you will not only have the easiest time creating a lawful and transparent use of personal data, but also get rid of much unwanted data and corresponding risks.

“Who we have information about, what we are doing with this info, and why

Get your team together

You may have drawn the shortest straw and am expected to do this yourself, but unless you are a true one-(wo)man-show, you will need to involve your colleagues to the extent they want to keep accessing personal data at all.

Your first message should be: “Don’t worry, I got this, and you won’t have to give up any personal data, but we need to get our books in order so that we can answer any questions about this appropriately. The more you need this data the more you’ll want to help me because anything we do not document is technically unlawful and risk getting shut down.”

Start with ONE person. Get that person on board and reasonably happy with the result and process before going to the next. This is how you start building support internally (“Mark has done a great job with personal data for marketing, you can also ask him for advice…”).

Ask these questions

There are many questions that need answering but if you get (just) these two right, you can generally figure out the rest. So don’t burden your colleagues with long questionnaires.

1. Who do we have information about? (e.g., do we perhaps have customers; soon-to-be-customers/prospects; employees; …?)

2. For each of these categories of people (GDPR calls them “data subjects”), what are our reasons for needing this information, this data (GDPR calls using information for a specific purpose a “Processing Activity”)?

We’ll use the answers to these two questions in the following steps, building a lawful processing.

Records of Processing Activities

GDPR requires you to document each lawful processing in a so called Records of Processing Activities. EU Supervisory authorities may ask you for this, but (almost) more importantly this is the basis for pretty much all other GDPR documentation. You can document your processing activities in accordance with Article 30 GDPR in excel, with pen and paper, or you can make things easier on yourself and use our app (let us show you).

2. Documentation

Unfortunately, this is where many projects start, oblivious to what the documentation should be tailored to. This is as silly as writing a driver’s manual for a car you have no idea about.

But not you, because you started with the Data-mapping. Good job!

The GDPR requires you to show compliance, and the way you will notice this is when…

… A supervisory authority asks for:

  • Your records of processing activities;
  • Documentation supporting you having responded properly and on time to any request for access, rectification, deletion, or objection by a data subject (person you have information on);
  • Data Protection Impact Assessments;
  • Prior (Supervisory Authority) consultations where needed;
  • Internal and external Data Breach reports.

…. and for where data subjects (e.g., employees, website visitors or customers) ask for:

  • the Privacy Policy;
  • you Cookie Policy;
  • information on where the personal data originated when you contact them;
  • their rights under GDPR.


Don’t let all these “requirements to show compliance” weigh you down. Instead, think of how great it is that you do not only have to create all this documentation but also to show it to the people that care the most – your customers, colleagues, etc…

“We don’t want to brag, but we kind of have to…”

3. Standard Operating Procedures, and walking the walk…

It is important to note that your records should reflect what is really being done, rather than your end goal and “wouldn’t it be nice”. Think of it as you book-keeping, you don’t document what profits you would’ve liked to realize but rather what is actually the case.

So, even if your records show some lack of compliance, you are at least not in breach of the transparency requirement and in double jeopardy. Hopefully you do not stop here, and aim at making sure that your use of personal data is not only transparent but also follows the regulation.

You make sure of this by creating operating procedures and setting internal rules (and external by contract, when you use contractors) to make sure that the personal data you use will only be used for documented, lawful, purposes. Let’s delve a little deeper into what that actually means…

‘Whenever we have signed a contract (“lawful basis”) with a customer (“data subject”) to deliver a car (“purpose”) we need a delivery address, payment details, and identification on the person signing off on the delivery (“personal data”). No more no less and when this has been achieved the data only lives on in our book-keeping and with our sales team for a limited time in order for them to follow-up on post-purchase and sell winter tires. The sales person responsible will inform the customer of this processing and refer to our online Privacy Policy for more information.’ [somewhat simplified but covering most of it]


One way to make it easier for each function within your organization to adapt their day-to-day to GDPR is to create simpified “Playbook” for common activities involving personal data. Ask us and we’ll share some examples, free of charge.

Templates for Data Subject Rights

Each lawful processing acitivty comes with its own rights and obligations. Anyone you have personal data about may contact anyone at your company and ask for both information and changes to the processing. It is important that these questions and requests are handled properly and where necessary taken care of by someone with a deeper knowledge of the GDPR. The general deadline for requests to be answered is 1 month but for some cases this is much shorter. For instance where the processing is short-lived, or where a data breach has occured. We’d be happy to share some templates with you but the more tailor-made these templates are the less time you will spend figuring out how a general template applies to this persons angry question. As with many things, you can chose to do your ground work properly and have a good time later, or rely on general documentation and spend many hours later on when things get real and specific.

External parties - such as suppliers

Having properly adapted to and created an efficient GDPR environment, you really don’t want to invite your suppliers to ruin your party and reputation.

There are many pitfalls to avoid, but the top three are:

  1. Allocation of Controller/Processor (not) being done on a Processing Activity level (what this means is that each party are usually Controller for one processig activity and Processor for another – the roles are always decided per processing activity and never on a “per company” level and always based on factual circumstances rather than what is simply stated.) Making an error here is in breach of both not having the formally required documentation in place and in misleading the data subjects (very bad).
  2. Not matching the contents of the contract to your actions. If the contract states that one party is the Processor for a processing activity and end up deciding when to delete the data, or to use it for product development, or anything really, they will be a de facto Controller and unlawfully so. And vice versa.
  3. Using a template (even a good one) without adapting it to the processing (e.g., stating that “suitable safeguards must be in place” without specifying in what way or on what level, or that “the Processor will help with data breach reporting” without regulating who bears this cost or indeed how fast this shall be done and in what manner (very bad, since the Controller only has 72 hours to get this done)).
Company Group processing and sharing of personal data

Companies within a Company Group often share personal data and there is usually no problem with this. The important thing to document and govern is which Company (or Companies, jointly) decides what the personal data is used for and how long.

The formal requirements for sharing personal data applies the same to companies within a Company Group, both in terms of contracts (“DPA”s and Data Sharing Agreements) and in transparency requirements. A Company Group Privacy Policy will be a good cornerstone (and if done properly fulfil the requirements of a Data Sharing Agreement where needed).

4. Educate your team – considering the human factor

Even the best laid plan and documentation can be wasted if your colleagues are in the dark. Even before your work is done, book a training session for the management team, key personnel and eventually the rest of the staff (at the very least customer-facing staff), to inform of:

  1. The basic (data subject) rights and (company) obligations following GDPR
  2. Present (and where to find) supporting documentation and inform of where and how to escalate questions internally
  3. That all new systems processing personal data must be signed off by the privacy function/team.
  4. … and answer questions.


One way to make sure the very basics of using personal data are obvious to everyone in your organization is to buy a company licence to our GDPR e-learning.

5. Keep up to date and reactive

“Are we there yet” is not the question to ask, although we feel you…

GDPR allows for a risk-based approach to “never ending compliance”, where of course you cannot claim that one thing was completely overlooked (and still postponed years after GDPR came into effect) for the benefit of another, but at least you are not supposed to do everything at once. Important to remember is that the “risk” is the risk to the data subject, and not to your company – although with a healthy customer/employee/etc relationship they often go quite hand in hand.