GDPR Guide
We respect your privacy!

A Step-by-step Guide on How to Become GDPR Compliant for SMEs and NPOs

GDPR compliance is a huge task that many small and middle-sized companies (SMEs) as well as non-profit organizations (NPOs) have not yet fully achieved. Even though becoming GDPR compliant requires some effort, we at Tutanota are confident that every company can achieve GDPR compliance by following this step-by-step guide based on our own experiences when working on becoming GDPR compliant.

Protecting our users' right to privacy is at the heart of our secure mail service Tutanota so becoming GDPR-compliant on or before 25 May 2018 was of high priority to us, which we have achieved. It took us around three weeks of work to achieve GDPR compliance. Based on our experience, we have drafted this practical step-by-step guide on how to become GDPR compliant that will help any SME and NPO to achieve compliance as well.

Please note: This is a practical guide on how to become GDPR compliant and not legal advice. We at Tutanota take no responsibility that this guide is complete or legally accepted.

Short introduction to the General Data Protection Regulation (GDPR)

  • The GDPR is European legislation that defines how personal data must be processed and what has to be documented.

  • The GDPR very much follows the former German Federal Data Protection Act (Bundesdatenschutzgesetz), the biggest difference being the potential fines for non-compliance of up to 4% sales volume.

  • EU countries can create their own laws to add data privacy rules, but may not decrease the GDPR level of privacy. In Germany, this is the new Federal Data Protection Act (Bundesdatenschutzgesetz).

Recommendations based on our experience when working on becoming GDPR compliant

While achieving GDPR compliance at first sight seems like a lot of work, it can be easily achieved when it is broken down to concrete tasks that can be accomplished step by step. This guide will help you achieving GDPR compliance as it helps you to address one task at a time. This way you can constantly improve your documentation to become GDPR compliant without feeling the pressure of having to do everything at once.

The main recommendations that we as an SME that has already gone through the process can give are:

  • Work through all your databases one by one.

  • Use our "GDPR workflow: How to achieve GDPR compliance" posted below.

  • Document everything at one place so that you can easily keep track of everything.

  • Careful documentation helps you to keep the overview of your achievements in becoming GDPR compliance. It helps you to keep motivated and lets you take a break whenever you need to.

  • Once you are finished, ask your colleagues if you have missed any group of people that your company stores personal data about. There is usually always at least one group that you will have missed (database of media contacts, interns, etc.).

Step-by-step guide of how to become GDPR compliant

Achieving GDPR compliance is not just about protecting personal data that is being handled and stored by the company. In large parts it is about documenting how the personal data is handled, stored, and when it is being deleted so that a company can prove that it is GDPR compliant. This step-by-step guide helps you to document all necessary information for becoming GDPR compliant and to detect points of data processing where the protection of personal data in your company needs to be improved.

Step 1: Define who shall take care of achieving GDPR compliance, e.g. the data protection officer in the company. If you did not have one before, name a data protection officer, possibly someone who already handles personal data, e.g. Head of Human Resources.

Step 2: Read the GDPR and your local country's data privacy law (e.g. German DSGVO-Gesetz and German Bundesdatenschutzgesetz. Also the Suitable Recitals connected to the rules contain helpful information about the reasons for each rule.

Step 3: Gather personal data processing information in your company (e.g. customer database, HR database, media database, etc.). Put all this information into the "Records of processing activities". This is the main source of information that will be the basis for all other documentation and measures needed to become GDPR compliant.

Record of processing activities: Categories you need to document to become GDPR compliant

GDPR: How to become GDPR compliant practical guide - example of a processing activity

The screenshot above shows all categories that need to be documented for each Record of processing activity to become GDPR compliant.

  • First, name each processing activity. Then add the information for the following categories:

  • Categories of personal data (that are processed in this activity)

  • Categories of data subjects (whose data is processed)

  • Purpose (of processing)

  • Categories of recipients (who the personal data is disclosed to. This might be internal or external)

  • The information if the personal data is disclosed to a third country.

  • When the data is deleted

  • The legal basis. This can be one of the following (Art. 6 GDPR). There may be additional local laws that substantiate c) or e) (e.g. in Germany ยง 26 BDSG (neu) for processing employee data)

    • Art. 6 GDPR a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes (withdrawal of consent is possible, portability of data has to be made sure)
    • Art. 6 GDPR b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (portability of data has to be made sure)
    • Art. 6 GDPR c) processing is necessary for compliance with a legal obligation to which the controller is subject
    • Art. 6 GDPR d) processing is necessary in order to protect the vital interests of the data subject or of another natural person
    • Art. 6 GDPR e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
    • Art. 6 GDPR f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • The risk

Step 4: Technical and organizational measures

  • Analyze the risk for all processing activities. If a risk is very high, you need to do a data protection impact assessment.

  • Gather all existing technical and organizational measures.

  • Depending on the specified risks, update the needed technical and organizational measures and implement them.

Visual guide: How to become GDPR compliant

This workflow can be used for each record of processing activity. Simply go through the workflow for each record that processes personal data in your company. If the data is not compliant with GDPR, e.g. you as a company have no purpose for storing this data, simply delete it. If you require the personal data, e.g. customer data base, employee data base, to do your business, document according to this step-by-step guide how you make sure that the processing activity handles the personal in compliance with the GDPR requirements.

GDPR Workflow: How to become GDPR compliant practical guide

Detailed explanation of the visual guide: How to become GDPR compliant

Gather personal data processing information in your company: Find out where personal data is being processed in you company, e.g. salary statement, employee management, customer management, payment, supply management, etc. Name this data processing activity. It will be the first entry in the above "Record of processing activities", your main document for achieving GDPR compliance.

Categories of personal data: Specify what personal data is being processed by this processing activity, e.g. Name, date of birth, address, bank details, social security number etc. This also includes personally identifiable information such as IP addresses, private email address, etc.

Identify processings as processor:

Order processing agreement:

Records of processing activities:

Analyze risk: For analyzing the risk, scrutinize who has access to the data, e.g.

Run data protection impact assessment:

Technical and organizational measure:

Gather existing technical and organizational measures:

Implement new measures:

Risk level: Specify the risk level for each category of personal data based on your risk analysis: low, medium, high.

Categories of data subjects: Specify who are the data subjects, e.g. employees, customers, partners, journalists, etc.

Data privacy statement:

Employee publication consent: In case you publish the names of your employees and / or images of your employees (e.g. team picture on your website), every employee needs to sign a publication consent. If they do not wish to sign, but instead require you to remove this information from your publication (e.g. from your website), you must remove this information in a timely manner, e.g. within one week of revocation. Employees can revoke their consent at any time without consequences to their employment.

Implement getting consent from parents:

Purpose: Specify what purpose you as a company need that category of personal data for.

Stop processing and delete data that is not compliant: If there is no business purpose for that processing activity, delete the personal data stored.

Categories of internal recipients: Who has access to this processing activity, e.g. all employees, management, HR department. Where is it stored internally, e.g. customer database, ring binder, etc.

Employee data processing obligation: Make sure every employee with access to personal data, reads a 'Security Guide' that contains all necessary information for the employees about how to handle and protect personal data they have access to.

Categories of external recipients: Who accesses this processing activity outside of your company, e.g. tax office, bank, payment processor, email service provider etc.

Order processing agreement: You need to sign an order processing agreement with every external contractor that is involved in the processing of personal data for your company.

Third country: Is an external recipient of personal data located outside the European Union?

Make sure guarantees exist: If an external recipient of personal data is located outside the EU, you need to make sure that they have proper data protection measures in place to keep the personal data safe from unauthorized access.

Time limits for erasure: What are the time limits for the personal data contained in this processing activity? For instance, information about employees that have left the company must be deleted three years after they left.

Implement limits for erasuer in time: Implement measure to make sure that the personal data contained in this processing activity is deleted within the defined period of time.

Legal basis for processing:

Implement export of data: Under the GDPR private citizens can ask companies to hand over all data stored by the company. Implement means to export all data stored about your users so that you can hand out the data should they request same.

Get consent for advertisements: Get consent to send out advertisements via email if you plan to do same.

GDPR compliant web hosting

When your company is hosting data online, you need to take extra care to make sure that the data is handled GDPR-compliant. Make sure to get a Data Processing Agreement (DPA) from your service provider, which in general should be sufficient to achieve GDPR compliance.

However, it is much better if the data you host externally with online services is stored end-to-end encrypted. The GDPR highlights encryption as an appropriate technical measure to safeguard data, therefore making it a key technology measure to demonstrate compliance.

By choosing end-to-end encrypted cloud services, you make sure that only your company can access your confidential business data, leaving the service provider with no access.

For cloud storage we recommend Tresorit, an end-to-end encrypted file sharing and storage platform for businesses based in Switzerland.

For emails we recommend Tutanota, our end-to-end encrypted email service based in Germany.

What can Tutanota do to achieve GDPR compliance in business emails?

Tutanota protects all your business emails in four ways:

  1. The entire mailbox is end-to-end encrypted. The encrypted data can only be accessed by your company. This includes all emails and all contact information (address book) stored in Tutanota. All data is stored encrypted on our own servers in highly secured data centers located in Germany.

  2. Tutanota encrypts all emails among your employees end-to-end. This makes it very easy for you to share personal information, e.g. about applicants or customers, internally via email.

  3. Tutanota enables you to send end-to-end encrypted emails to outside users with sharing a password.

  4. Tutanota enables you to place a secure contact form on your website so that people interested in your company can easily get in touch with you end-to-end encrypted.

Read our blog how Tutanota helps you to achieve GDPR compliance in emails.