When people learn about the GDPR the first question they have is: how to comply with GDPR? Do I really need a data protection officer? Do I need expensive consultants?
So this is how to comply with GDPR?
1. Install a record of processing activities
The first thing is to start with a record of all your processing activities. Each and every company, organisation, association, ... will need a record or index of processing activities with categories of personal data that are processed. These records will give you - and also the supervisory authority - an overview which kind of personal data you are processing, for which purpose, how long it is stored, if it is transmitted to recipients and so on. There is no specific format needed for this index but this is the most important point in how to comply with GDPR. (Article 30 GDPR)
2. Make contracts with your processors
Probably you will have processors that are storing, copying, using, or even destroying data because you told them so like your hosting company, your external accountant, your cloud storage provider,... As you are the controller and therefore responsible for the personal data your are processing, you have to make sure that your processors are also protecting and securing the data in a GDPR compliant way. For individual services you are using, you will have to make an individual contract with your processors. For mass services i.e. cloud storage, you will find terms and conditions of the processor and you will need to add this information to your documentation. (Article 28 GDPR)
3. Check if data protection impact assessment (DPIA) is necessary
When doing your record of processing activities you also have to do a documentation about your technical measures to secure and protect the data - this is also how to comply with GDPR. In case, that for an activitiy there is a high risk for the personal rights and freedom of the concerned people, then you need to do a risk assessment for this processing activitiy. Within this DPIA there needs to be a risk analysis with probability and impact of a data breach. You will have to find measures to reduce probability and impact so that the risk of the processing activities is minimised. If there would still be a high risk, you have to inform the supervisory authorities. (Article 35 GDPR)
4. Check public statements
After you have done these first three steps, you have gathered a lot of information and have already done some documentation. Probably you found out in which fields you are missing texts or statements about data processing to provide transparency and information for your clients. For example, you will have to check your website for your privacy statement, for cookie consent and eCommerce compliance. Maybe you need to update your general terms and conditions. (Article 13, 14 GDPR)
If you are a small company that is not dealing with sensitive data or is not doing any profiling then you should be done and settled now - this is how to comply with GDPR. You will need to re-evaluate on - at least - a yearly basis if there are any changes in your processing activities or internal processes. In case of changes you would have to update your documents of course.