5 Steps to GDPR Compliance


Audit all of the data you possess and understand how it moves within your company.


➠ What personal data do I store?

Ex: First name, last name, email address, IP address, a cookie ID*

➠ Who is responsible for it?

➠ Where is personal data stored?


Map where all of the personal data in your entire business comes from and document what you do with it and who can access it. Be aware that your data can come from many different sources: website visitors, subscribers (newsletters, blog, emails), people who click on your ads or even employee information.


Ex: All names, addresses, emails and phone numbers of your tasting room visitors are stored in an excel file on the computer owned by the company. You regularly send them a newsletter and special offer. You should list who has access to the file. Also, specify a start date and a purpose for the listing and information collected.



In compliance with GDPR, the data processor must store personal information of individuals for the shortest time possible depending on the purpose and legal obligations. What data points to retain and how long to retain them must be justified and unnecessary data should be deleted.


➠ What are we saving this data for?

➠ How long have we had this data?


Ex: You possess a list of emails, phone numbers and addresses from leads gathered during an exhibition in France 5 years ago. Can you justify the purpose of storing this data today? If not, it’s better to delete it from your system.

All data stored needs to be justified and relevant. GDPR prioritizes data minimization, meaning that less data is safer.



Under GDPR, individuals have 8 rights: They can be informed about, access, rectify, delete, block, object, or move their data, or refuse automated decision making. You will need to establish procedures for how you will handle each of these situations like consent and disclosure forms. Data protection authorities can ask to see data at any time, and so can your customers.


➠ What is the process if an individual wants his/her data to be verified, transferred or deleted?

➠ How will you ensure that data is deleted across all platforms?

➠ How will you ensure that the data is secure?

➠ How do you report a security breach of data?


Best Practice: Keep a log of processing activities in writing or electronic form.



Privacy Policy: Review your policies and make sure your data use is as transparent as possible. You should include the following information:


➠ Name and Contact of your Data Processor (it can be your business)

➠ Specify if you use profiling in the processing of your data

➠ Mention if you transfer data internationally

➠ Mention the 8 rights of the individual regarding his/her data


Consent Forms: Key features of the GDPR-compliant consent form include who is collecting the data, how it will be used, opt-ins for each marketing use, and how a subscriber can ask for their data to be removed.


Make it easier on yourself: Take advantage of the efforts many email platforms have taken to streamline this process and make sign-up forms GDPR-compliant.



GDPR invites you to start a conversation with your customers as well as everyone involved in the data collection process of your business (employees and third parties). Make sure they are all aware of their rights and duties following the changes:


Customers: Be transparent. Tell customers you care about their data and what you’re doing to protect it.

Employees: Raise awareness of GDPR internally by making sure your employees have read and understood policy documents.

Contractors: Under GDPR, companies that use third parties to process the personal data of EU citizens are responsible for their readiness and conduct. Although subcontractors have their own responsibilities and a number of obligations, too.


Want more of an overview on GDPR? Take a look as we break it down here.

Hannah Bornhofen