After three years since its entry into force, GDPR compliance can still seem tricky, and it does take time to dive into. Scandals and legal actions related to privacy breaches and GDPR violations make headlines in the news on a regular basis; therefore, it’s more and more clear that the costs of not satisfying GDPR provisions can be far greater than any investment made to adhere to it.

This article will help you understand whether your business is subject to the General Data Protection Regulation (GDPR), which requirements you need to meet, and how to achieve full GDPR compliance in your company.

Which companies are subject to the GDPR?
Does GDPR apply to my company?
Do I need to comply with the GDPR record-keeping requirements?
Does my company need to have a DPO?
7 steps to ensure GDPR compliance
How can Penneo help you achieve GDPR compliance?


Which companies are subject to the GDPR?

GDPR applies both to companies that are based in the EU and to companies that are based abroad but process personal data of people who are in the EU. Although organizations of any size can fall in the GDPR scope, there are some exceptions about:

  • The record-keeping requirement: smaller firms (with less than 250 employees) are exempt from the obligation of keeping detailed records of their processing activities – as long as their data processing is occasional and is not about sensitive data
  • The appointment of a DPO: the Data Protection Officer (DPO) is the person appointed (internally or externally) to ensure that the company complies with GDPR, and to handle potential questions or complaints related to data privacy rules and data protection rights. A firm needs to appoint a DPO if its core activities involve the regular processing or monitoring (e.g., tracking, profiling) of sensitive data on a large scale. For example, the DPO is mandatory for a big clinic processing large sets of sensitive data, but it’s not mandatory for a local community doctor that only processes the personal data of a low number of patients.

That being said, you can easily find out whether the GDPR applies to your business.

Companies that the GDPR applies to


Does GDPR apply to my company?

  • Is your business established in the EU?
  • If it is not, does your company process the personal data of people who are in the EU?

If the answer is yes to at least one of these questions, you must comply with GDPR requirements.


Do I need to comply with the GDPR record-keeping requirements?

  • Are there more than 250 employees in your company?
  • If your company has less than 250 employees, does your business regularly process sensitive data?

If either answer is positive, you need to comply with the GDPR record-keeping requirements.


Does my company need to have a DPO?

  • Does your firm process sensitive data on a large scale?
  • Does the data processing or monitoring occur regularly?

If both answers are affirmative, you need to appoint a Data Protection Officer (DPO).


7 steps to ensure GDPR compliance

If your business is subject to the GDPR, the following checklist will help you understand your level of GDPR compliance and identify where there’s room for improvement.


1. Check the personal data you collect and process

  • Do you have a legal basis to process personal data?
  • Does the data processing have a legitimate purpose?
  • Would it be possible to handle information in a less intrusive way?


2. Make sure the consent you collect is legally valid and effective

If your lawful basis to process personal data is consent, make sure the consent you collect meets the requirements laid down for it, and keep records of such consent – including what the person has consented to and when, where, and how this consent was expressed.


3. Inform your customers, employees, and other individuals when you collect their personal data

Your obligation of providing transparent information results in clearly stating, at a minimum, who you are, why you are processing the data, what the legal basis is, who will receive the data.

You should also communicate how long the data will be stored, the individual’s data protection rights, how consent can be withdrawn (when consent is the legal ground for processing), and information about automated decision-making (if applicable).


4. Keep the personal data for only as long as necessary

If the data refers to your:

  • employees, you only need it as long as the employment relationship and related legal obligations last;
  • customers, you should not keep it beyond the term of the customer relationship and related legal obligations.

Make sure to delete the data when it is no longer necessary for the purposes for which you collected it.


5. Ensure the security of the personal data you are processing

Protect the personal data you are processing by limiting access to the files containing the data on your IT system and regularly updating its security settings.


6. Keep detailed records of your data processing activities

The documentation should explain:

  • what type of personal data you process and for what reasons;
  • what categories of people are concerned (employees, customers, suppliers) and what categories of recipients are involved (labor authorities, tax authorities);
  • the storage periods and the duration of the relationships on which the storage periods are based;
  • the description of technical and organizational security measures to protect personal data.


7. Only trust compliant subcontractors

If you need to outsource activities to another company and the outsourcing involves transferring personal data you hold to that company, choose only service providers who guarantee data processing under the GDPR rules.


How can Penneo help you achieve GDPR compliance?

So, what’s the status of your organization? If you can successfully tick all the points on the checklist, then you’re on the right track. But if you are doubtful about some of them or wish to make your compliance process easier, Penneo can offer you features and capabilities that might just do the job. With Penneo, you can:

  • Limit access to sensitive information by defining permission settings
  • Enable 2FA, authentication via eID or NIN before accessing a document, and encryption
  • Store documents safely with automatic backups in the cloud and in physical data centers in the EU
  • Let customers verify their identity at their convenience while complying with the GDPR
  • Use our forms to collect personal information through secure and encrypted channels
  • Set up your data retention and deletion policies according to your own needs and obligations
  • Use digital signatures to capture consent



If you're looking to learn more, we have a few suggestions for you


FTN: Sign Digitally with Bank eIDs & Mobiilivarmenne

Norwegian Transparency Act

The Norwegian Transparency Act (Åpenhetsloven)

itsme® Sign

itsme®: Sign Documents Digitally in Belgium