Privacy Ref Blog

How Privacy Ref is getting GDPR Ready

The General Data Privacy Regulations, GDPR, are less than a year away.  Businesses around the world actively participating in the markets of the European Union are scrambling to comply with the new law.  We at Privacy Ref have been looking at how to best assess an organization’s readiness for compliance with the different articles of GDPR and have found an easy to understand way to meet this challenge.

Know what matters

The best way to minimize inefficiency in an assessment is to define the scope before anything else.  Some parts of your business may not be required to meet GDPR’s requirements because they do not handle personal information coming from, or concerning a data subject in the EU.  These areas of a business can be passed over until the other parts that are more directly affected, those that have more risk, are researched.

Gather Information

Now that you know what is being checked, review any policy, notice, or formalized privacy procedures that you can. Also review organizational documents such as organizational charts, codes of conduct, employee handbooks, and privacy-related training materials to name a few.  These artifacts provide insight into how the organization operates as well as the baseline for the assessment.

Compare the documents to GDPR requirements and look for areas that require adjustment to be compliant.  Once this is done, it is time to speak to the key individuals identified within the organization.

Discuss their daily activities, what kind of data they handle, where that data came from or is stored, and check to see if they are compliant with policies.  The individuals you meet with will span the organization’s operations. Marketing, IT, Human Resources, Finance, and Customer Service will be important to speak with, but the departments touched will vary by organization. Special attention should be paid to any functions that are a shared service across lines of business. Compare the answers of the interviewees against the policy and GDPR; you can then start the heavy lifting of the assessment.

Applications and Processes

The different programs and processes that are used daily all consume, or rather utilize, data to work.  This can be as simple as processing a data subject’s address to ship out their order.  You want to check each of these processes or programs individually and compare them to the GDPR.  What kind of data do you use?  Does this process respect the rights of a data subject?  These are some of the questions you need to ask.

At Privacy Ref we have constructed an GDPR Compliance Workbook that facilitates gathering the status of compliance with GDPR requirements and noting evidence of that status.

Each requirement is identified for status by topic. In some cases the same requirement’s status is gathered multiple times. For example, how the right to be forgotten is implemented in one application may be different than how it is implement in another and may be different from the guidance given by the Data Protection Officer. The requirement must be viewed from each of these perspectives.

Preliminary and Final Conclusions

Once you have all your findings you need to analyze them.  See where you are strong and where you need to improve your compliance with the law.  From there, you need to begin creating a plan of attack, a road-map, for how you want to further develop your program.  Prioritize the biggest tasks and worry about minor details as you go.  You will find that by handling the big fish first, the smaller details get fixed as an indirect result.

At Privacy Ref, our assessments always includes identifying the gaps you will need to fill to be compliant as well as a risk-based list of recommendations on how to proceed to close those gaps.


Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on June 14, 2017 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

November 12, 2018

My path towards privacy
My path towards a career in the privacy field was a circuitous route. As a perennially engaged Political Organizer and activist, information privacy and data management would not have been the most obvious path for my next endeavor. However, after serving on a campaign that featured the most famous political data breach in history, privacy and the importance of data management came crashing into my life. Continue reading this post...

November 2, 2018

A few weeks ago, I made it to Austin, TX for the Privacy Security and Risk Conference being held by the IAPP. As always, it was a great conference with pros and those who have only just begun as privacy professionals. One of the most interesting aspects of the conference was the focus on the newest US based privacy regulation, the California Consumer Protection Act. While not being in California, it was obviously the center of the conversation as many eyed this upcoming regulation as the next possible GDPR. Continue reading this post...

Other Recent Posts