Data Controller’s intentions will be one of the main drivers to achieve compliance with the EU GDPR

Published on September 18, 2017

Few points below for every organisation to look at for EU GDPR compliance:

  1. Understand whether the organisation is holding personal data as a Data Controller and/or Data Processor.

  2. Remember that organisation can be both Data Controller as well as Data Processor, but not both at the same time for any given personal data or personal data attribute.

  3. Work with or hire individual(s) who understands essence of EU GDPR and how it affects your organisation. Make sure that GDPR team members collectively have worked in different roles and not just compliance area.

  4. Create flat organisational structure to attain compliance till 24th May 2018.

  5. Create high level ARP (Accountability, Responsibility and Pseudonymisation) matrix for all types of personal data attributes at stages where data is subject to induction, transmission, modification and/or backup as well as its restoration.

  6. Remember ‘natural person’ whose attributes have been collected is owner of ‘personal data’.

  7. If organisation cannot justify collection of certain attributes of personal data then avoid its collection (or modification) and delete such data from all locations where it resides.

  8. If you have/had collected unjustifiable personal data attributes then make sure that you do not collect such personal data attributes going forward.

  9. If organisation has already collected personal data that it can justify then the same should be communicated to owner /natural person.

  10. Organisation that is not having matured and/or reusable and/or proven processes is more likely to fail EU GDPR - ‘Data protection by design and by default’.

  11. Organisation will have to have appropriate roles created to oversee continuous EU GDPR compliance.

Above all remember that organisation (under EU GDPR) is always subject to fines of up to 4% of annual global turnover or €20 Million (whichever is greater) on the enforcement date of 25th May 2018. Also, on or after 25th May 2018 no organisation can afford to be complacent.

Just a thought - ‘Experienced GDPR Consultant/Analyst’ is like someone is trying to find Chief Guest, for passing-out parade, who has won Gold Medal at 2020 Olympics. One can only be ‘Experienced GDPR Consultant/Analyst’ after 25th May 2018. I wish all organisations achieve EU GDPR compliance as my personal data might be with them.

As of today, it is possible that some organisations know more about me than what I know about myself, however, I might try to protect it. On 25th May 2018, those individuals who doubt intentions/integrity about any organisation (other than under Article 23 of 'REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016') will be able to easily get rid of such behaviour by exercising personal data rights.

Do not let unethical/non-compliant organisations get away with bad behaviour. Remember: You own your personal data !

Trainer and Consultant Profile (s)

Our consultants have more than 20 years experience in the IT industry across the globe in disparate sectors such as Banking (Investment, Retail, Commercial and many other), Telcos, Call Centres, Energy, Utilities, ISPs, Government & Private, Retail & Commercial, Media & Broadcasting and many other.

It is worth noting that our consultants have worked as part of an international consultancy that was at the core of building ITIL®. Our consultants have work experience in all areas of ITIL® and Service Management and regularly travel for ITIL® implementations.

Our trainers have been granted Accredited Trainer status by EXIN after going through a rigorous Accreditation process.


ITIL® is a registered trade mark of AXELOS Limited

The Swirl logo™ is a trade mark of AXELOS Limited

The ITIL Accredited Examination Institute logo is a trade mark of AXELOS Limited