In order to reach the goals in the General Data Protection Regulation before May 25, 2018, the first and most important step is that your business gets a good understanding of the content of the legislation, how it affects your business and what it takes to make sure you reach the goal .

When the project begins, it is a matter of getting to know what types of personal data your business owns or treats on behalf of other companies. There are two main categories of personal data:

  • Personally identifiable information (e.g. name, address, phone number and email)
  • Sensitive data (e.g. religion, sexuality, ethnicity and union)

Then you should ask yourself:

  • What type of personal data do we have internally?
  • What type of personal data do we have access to through third party companies?
  • Do other companies have access to our personal data?
  • Do we have employees or third-party companies that have access to personal data outside the EU?


There is no need to have too much personal data, so a restriction would be a good idea:

  • What do we use the different types of personal data?
  • Do we need to have these types of personal data?
  • What kind of personal data we are data owners, and when we are data processors?
  • Do we have data processing agreements and do we obtain consent for storing personal data?


When the above questions have been clarified, the last questions are as follows:

  • In what physical and digital systems do we have personal data?
  • How is this data available?
  • What are we currently having about personal data processes?


The above process helps ensure that your business gets the right questions, so you reach 360 ° around your data.

If you are a very complex organization, you have an opportunity to split the task into smaller tasks – either organizationally or on types of personal data, so that you reach all the way.


Once your company has gained an overview of the amount of personal data, processes and systems, it is time to follow the following model:



Project organization

The GDPR consists of law, compliance and IT. Therefore, it is necessary to involve all the relevant people in the process so that everyone gets an understanding of the regulation and can help your business reach the goal of the project. As the project also goes across different professional groups, it is difficult for some people to have the necessary insight.

The most important element for success is that it will be rooted in management and there is support for the project. Then, a project manager and project participants must be appointed.


Time schedule

On May 25, 2018 is the cut-off date in relation to the law. This means that your company must comply with the requirements of the regulation, and the data surveillance will be responsible for auditing companies and at the same time be the investigating party if your company has leaked personal data.

Whether your company wants to run the project in a compressed process or more ad hoc is up to you. However, it is always hard to do it haphazardly, as you often have to start with a summary where a more compressed project makes it easier and faster to reach goals. However, project participants need to be free of time, or to use of external consultancy from, for example, GlobalSequr.



It’s very hard to put a precise figure on what the cost will be for your business to reach the goals of the GDPR. It depends on some number of factors, such as the amount of personal data, the company’s complexity, the number of systems, and whether your business has previously worked with the area.

Most importantly, however, your company should decide how much you want to use by specialists and how much you want to do internally. It is both possible either to outsource most of the project or GlobalSequr helps to manage the project, deliver templates, quality assurance, etc.


If your company is not used to work with ISO27000 or the old General Data Protection Regulation, it is possible to read the full text of the GDPR and send people from your company to the courses. This can definitely be a part of the solution in large organizations, while most companies will be too big to buy a GlobalSequr turntable that is tailored to your business.

Following this guide has your business revealed the most important areas and planned as much as possible during this phase of the project. The next phases will therefore deal with how you can safely achieve goals with the GDPR.