Short answer: To comply with the GDPR, your organisation must process personal data lawfully, transparently, and securely. This requires a clear overview of your data, well-defined procedures, and the right technical and organisational tools. Whether you’re a small business or a global corporation, the same principles and obligations apply.
GDPR put in practice
The GDPR is the EU’s unified data protection regulation. It applies to all organisations that process data about individuals in the EU – regardless of where the organisation itself is located. The purpose of the GDPR is to enhance compliance by giving individuals greater control over their personal data and to ensure that companies handle data responsibly. As a result, the regulation outlines both rights for individuals and duties for you as a data responsible.
Studies show that almost 50% of UK companies have experienced a cyber attack
- www.gov.uk
What types of data are we talking about?
When we talk about data protection under the GDPR and information security more broadly, it’s not just about traditional personal data. Several types of sensitive information must be taken into account:
Special category (sensitive) personal data
This includes data such as health status, religion, sexual orientation, trade union membership, ethnic background, and biometric data. These require additional protection, as misuse can have serious consequences for the individual.
Personal data and PII (personally identifiable information)
Names, email addresses, home addresses, phone numbers, IP addresses and similar – in short, any data that can identify an individual. These fall under GDPR and must be handled with care.
Sensitive business documents
This includes internal files with confidential information about employees, customers, strategy or finances – such as salary data, complaint cases or draft contracts. Even if these documents don’t contain personal data, they may be commercially sensitive and must be protected accordingly.
Together, these are the types of data your organisation should identify, secure, and document how you handle.
Principles of the GDPR
The core principles found in Article 5 of the GDPR should guide all of your organisation’s data practices:
-
Lawfulness, fairness and transparency – You must have a legal basis for collecting and using data, and the data subject must be informed.
-
Purpose limitation – You may only use the data for the purposes declared when it was collected.
-
Data minimisation – Only collect and retain the data you truly need.
-
Accuracy – Keep data accurate and up to date.
-
Storage limitation – Delete data when it is no longer needed.
-
Integrity and confidentiality – Protect data from unauthorised access, loss or misuse.
-
Accountability – You must be able to demonstrate that your organisation complies with all of these principles.
Stop the GDPR monster before it gets its hold of your personal data
Step-by-step GDPR compliance guide
This section outlines the fundamental steps your organisation should take to prepare for GDPR compliance. The guidance is based on information provided by the Publications Office of the European Union here, combined with practical tips.
1. Map your data
Start by identifying which personal data you collect and process. Where is the data stored (emails, documents, systems)? Who has access? And why do you hold it? This is often called a data flow or data mapping. A data discovery tool can help you locate sensitive data – including forgotten or hidden files.
2. Be transparent and document your practices
People have the right to know how their data is used. That means you need clear privacy policies and properly documented, understandable consent. Internally, you should document your data handling: how data is deleted, who has access, and how security is managed.
3. Set data retention limits
GDPR requires that personal data is not kept longer than necessary. Define retention periods for different types of data – for example, five years for payroll data, 12 months for unconsented marketing leads, etc. Implement automatic deletion or archiving wherever possible.
4. Secure data with technical and organisational measures
Protect data from unauthorised access or breaches. This can include:
-
Encryption of files and emails
-
Access controls and role-based permissions
-
Regular updates and antivirus protection
-
Clear security policies for staff
Also remember to train your employees – they are your first line of defence.
5. Handle data subject requests properly
Individuals have the right to access their data (DSAR), or to request deletion, correction or data portability. You must respond within 30 days. Set up a clear process to receive, verify and respond to requests.
6. Manage your third-party vendors
Any supplier processing data on your behalf (such as cloud services or HR systems) must be GDPR-compliant.
-
Sign a data processing agreement (DPA)
-
Assess their security and compliance levels
-
Conduct regular reviews – especially if the vendor is outside the EU
7. Appoint someone responsible
It’s important to have a dedicated person overseeing data protection – such as a Data Protection Officer (DPO) or GDPR lead. This is not mandatory for all organisations, but it’s highly recommended if you process large volumes or sensitive data.
8. Assess risks before starting new projects
Before launching any new activity involving personal data (such as video surveillance, AI, or new platforms), carry out a Data Protection Impact Assessment (DPIA). This helps identify risks and ensures your initiative aligns with GDPR requirements.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
The easy way to comply with GDPR for SMBs
GDPR can seem complex, but once you have control over your personal data, access rights and documentation, the task becomes far more manageable. At Safe Online, we’ve developed three tools that help you comply with GDPR in practice. Our tools are designed to support the three most essential parts of the process: locating personal data, sharing data securely, and managing data requests efficiently. This gives you a complete and practical solution that makes it much easier to work with GDPR in a structured way in your daily operations. Our tools are:
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
