Skip to main content

Don’t delay aligning your business with GDPR regulations, even though they have been in effect for some time, along with the Laws on Personal Data Protection and Private Security. However, if you find yourself stuck and delaying compliance because:

  • You lack a clear understanding of the regulations.
  • You struggle to find the right path and effectively delegate the project within your organization.
  • You’ve heard from some sources that it’s not fully enforced yet, so you plan to start compliance when it becomes more urgent.
  • You believe you’re not at risk because you’ve received minimal guidance, such as a couple of documents from a legal office and assume any issues will be resolved if necessary.
  • Risk assessments, impact assessments, and other paperwork can be done retroactively to cover situations as they arise.

These are common attitudes among company management that have not yet addressed data protection and security measures. However, introducing corporate security as a management function is crucial.

We suggest starting the project by addressing point 1, as it’s essential for subsequent steps. Through education, you can clarify the situation and make transparent, high-quality decisions going forward. Ignoring the problem only delays the inevitable, and it’s uncertain when it will come back to haunt you.

Education and Establishment of Organizational Framework for LPDP/GDPR Compliance

Considering that personal data protection regulations encompass numerous processes within an organization, employees must be acquainted with and prepared to respond to the new requirements and obligations they will need to adhere to. Training and education during this process provide a foundational alignment and understanding of the essence of GDPR regulations, thereby facilitating the effective adoption of new organizational patterns.

The entire process must be adequately and transparently coordinated, with the appointment of individuals or teams responsible for this strategic project. Depending on the size and purpose of the organization, it may be necessary to appoint an internal or external Data Protection Officer (DPO).

Mapping Data and Defining Responsibilities

Through this phase, we create a graphical representation/flowchart of data, clearly indicating how data is collected and processed, where personal data is stored, the flow of data during collection, processing, and distribution processes, data classification criteria, retention periods, and more. This helps identify and assess the risks of potential non-compliance and ensures a rational approach to data management.

It is crucial to determine roles in the processing process, whether the company is a data controller or processor. The complexity of this regulation suggests that its impact on business operations can be extremely complex, despite initial appearances.

Privacy, Security, and Data Protection Risk Assessment

Once the data map is completed and a clear picture of the data within the organization is established, we begin the risk assessment process. This aims to identify potential dangers and potential damages to which this data may be exposed. The potential impact of these risks on the data itself is determined, and based on this, concrete steps are defined, including descriptions of measures and actions for protection, prioritized by system. In some cases (as defined by LPDP and GDPR regulations), a Data Protection Impact Assessment (DPIA) may also be mandatory. Additionally, before conducting an impact assessment, a GAP analysis should be performed to identify any non-compliance with existing security systems compared to the new requirements of LPDP/GDPR.

Defining Procedures for all Types/Classes of Data

Since requirements for different types of data can vary significantly, it is necessary to formally regulate internal policies, instructions, and procedures regarding how the organization will handle and treat personal data. Data classes are typically determined based on sensitivity levels and the extent of data collected for specific purpose. Therefore, contact information, bank account data, health information including medical history, religious and national affiliation data may have different privacy implications, requiring different approaches to processing and protection. In such cases, the process for obtaining consent for data processing and usage should be clearly defined, often requiring additional impact assessments and particular attention from the data controller.

Implementation of Organizational-Technical and Security Measures for Data Protection

LPDP/GDPR requires the adoption of optimal and timely data protection measures to prevent all risks and threats to data loss within the organization. In the event of a data breach compromising data integrity and privacy, organizations are legally obliged to notify the competent authority, Commissioner, and data protection officer within 72 hours, as well as all affected parties. These obligations, along with fulfilling user rights, implementing privacy by design and privacy by default principles, require adequate design of data usage and management structures. To achieve a satisfactory level of protection, companies may consider appropriate technological solutions as one of the pillars of compliance with PDPL/GDPR.

Documentation and Description of Steps

The organization must document all actions and steps taken in the compliance process with regulations, as well as define, in accordance with regulations, each new data processing activity it engages in, accompanied by an adequate description of the purpose, scope, and duration of such activity. Procedure mapping is essential to demonstrate compliance with requirements to the supervisory authority, Commissioner and data protection officer and to users/individuals whose data is being processed.

Periodic Monitoring, Verification, and Improvement

To achieve genuine compliance and ensure the effective implementation of privacy policies and personal data protection measures, organizations must periodically monitor the application of measures through reporting and corrective actions that ensure sustainable compliance with LPDP/GDPR. Following the preliminary alignment with regulations, organizations must continue with ongoing risk analysis, monitoring developments and events in the field of data protection and implementing additional measures and systematic employee education.

The complexity of this regulation demands a broad spectrum of knowledge, experience, and time as necessary resources to invest in achieving legal compliance and elevating the security culture of the organization to a higher level.

It is very common for organizations to lack all the necessary resources and knowledge to implement these steps. In this case it is highly recommended to seek support from experts and external partners who have best practices and solutions in this area. Many companies operating in LPDP/GDPR compliance require a GAP analysis and corrections to existing procedures to continuously verify compliance.


We are a multi-disciplinary team of experienced consultants ready to respond to all your simple and complex requirements. Contact us to work together to find the best, efficient, and applicable solution for your business.