European Commission’s seven-steps guide to the General Data Protection Regulation

Less than 20 days before the entry into application of the GDPR, the European Commission continues to offer guidance and tools to citizens and businesses to ensure the highest level of compliance possible. The most recent tool published is a seven step guide for businesses. The guide, laying down the main requirements a business should follow to get ready for the Regulation, is mainly directed at companies that do not handle personal data as a core business activity and particularly SMEs.

The European Commission identifies 7 main steps in its newly published guide, of which you can find an abstract below:

Step 1: Check the personal data you collect and process, the purpose for which you do it and on which legal basis

You have employees and you are processing their personal data based on the employment contract and based on legal obligations (e.g. reporting to tax authorities / social system). You can manage a list of individual customers, for instance to send them notice about special offers/adverts if you obtained consent from these customers. You don’t always need consent. There are cases when individuals will expect you to process their data. For instance, as a pizza merchant you can process the delivery address to advertise one of your new products. This is called a legitimate interest. You must inform individuals about your intended use and stop processing such data if they tell you to do so. If you manage a list of suppliers or business clients, then you do it based on the contracts you have with them. The contracts are not necessarily in a written form.

Step 2: Inform your customers, employees and other individuals when you collect their personal data

Individuals must know that you process their personal data and for which purpose. But there is no need to inform individuals when they already have information on how you will use the data, for instance, when a customer asks you to do a home delivery. You also have to inform individuals on request about the personal data you hold on them and give them access to their data. Keep your data in order, so when e.g. your employee asks you about what sort of personal data you have, you can provide it easily with no extra hassle.

Step 3: Keep the personal data for only as long as necessary

Concerning the data on your employees: as long as the employment relationship and related legal obligations. Concerning the data on your customers: as long as the customer relationship lasts and related legal obligations (for instance for tax purposes).

Step 4: Secure the personal data you are processing

If you store this data on an IT system, limit the access to the files containing the data, e.g. by a password. Regularly update the security settings of your system. If you store physical documents with personal data, then ensure that they are not accessible by unauthorized persons; lock them in safe or a cupboard

Step 5: Keep documentation on your data processing activities

Prepare a short document explaining what personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority when it requests it.

Step 6: Make sure your sub-contractor respects the rules

If you sub-contract processing of personal data to another company, use only a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance security measures). Before you sign a contract, check if they have already changed and adjusted to the GDPR. Put it in the contract.

Step 7: Check if you concerned by the provisions below

To better protect personal data, organizations might have to appoint a Data Protection Officer (DPO). However, you don’t need to designate a Data Protection Officer if processing of personal data isn’t a core part of your business, is not a risky processing and your activity isn’t at a large scale; For example, if your business only collects data on your customers for home delivery, you do not need to appoint a DPO. Even if you need to make use of a DPO, he/she could be an existing employee tasked with this function in addition to his/her other tasks. Or it could be an external consultant; the same way many organizations use external accountants. You normally don’t need to carry out a Data Protection Impact Assessment. Such an impact assessment is reserved for those that pose more risk to personal data, for instance they do a large-scale monitoring of a publicly accessible area (e.g. video-surveillance). If you are a small business managing employees’ wages and a list of clients, you do not need to carry out a Data Protection Impact Assessment for those processing operations.

(Source: European Commission)

Where to get more information on GDPR

If you wish to obtain more information, you can also:

  1. Visit the European Commission’s online guidance on data protection reform – available in all EU languages:
  2. Consult your national Data Protection Authority.


This factsheet is the latest in a series of guidance document created by the European Commission, that you can find on its GDPR webpage.
Ecommerce Europe’s National Associations are also working hard to inform all their members about the obligations of the GDPR. Click on the links below to access some of the documents that our members published on GDPR:

  1. Retail Excellence (Ireland) GDPR Manual
  2. „ARMO (Romania) GDPR Factsheet
  3. Händlerbund (Germany) GDPR Handbook
  4. FDIH (Denmark) Guide & Video (only for FDIH members)
No Comments

Post a Comment