What is is GDPR compliance?

GDPR compliance means that your organization Processes personal data lawfully, securely and verifiably – every day. It’s not just about policies, but about being able to showthat you are doing the right thing in practice.

At the core of GDPR compliance

• Lawful basis: Each processing operation has a clear legal basis (e.g. contract, legitimate interest, legal obligation).

• Transparency: You clearly communicate what you collect, why and for how long.

• Data minimization & deletion: You collect only what’s necessary – and delete according to plan.

• Security: Technical and organizational measures protect data.

• Rights: You can handle access, correction, objection etc. within the deadlines.

• Accountability (the proof): You can document decisions, processes and actions.

What counts as “proof”?

• ROPA/data card: Overview of treatments per department.

• Agreements & templates: DPAs, consent texts, LIA/DPIA/TIA notes.

• Logs & tracks: DSAR-log, breach log, deletion logs, access log.

• Training: Participation, completion reports and content.

ROPA – Record of Processing Activities
= Record of Processing Activities.

• What: A catalog of all personal data processing in the company.

• Why: Shows overview and accountability.

• Typically includes: purpose, data categories, data subjects, systems/suppliers, legal basis, retention period, security measures.

• Example: “Recruitment in HR – CVs stored for 6 months, legal basis: legitimate interest.”

DPA – Data Processing Agreement
= Data Processing Agreement.

• What: Contract between the data controller (you) and a supplier that processes data on your behalf.

• Why: Ensures clear requirements for security, sub-processors, deletion, supervision, etc.

• Example: Agreement with your payroll system or email marketing platform.

LIA – Legitimate Interest Assessment
= Balancing of interests (using “legitimate interest” as a legal basis).

• What: A short decision memo where you assess purpose, necessity and impact on data subjects – and what risk mitigations you use.

• Why: Proof that “legitimate interest” is chosen correctly.

• Example: Using employee photos on intranet for internal culture/identification.

DPIA – Data Protection Impact Assessment
= Data Protection Impact Assessment.

• What: A deeper risk assessment for high risk (e.g. systematic monitoring, sensitive data on a large scale).

• Why: Identify risks and determine mitigation measures, possibly with the involvement of DPO/IT/Law.

• Example: Implementing a new HR analytics system with extensive employee data.

TIA – Transfer Impact Assessment
= Third country transfer impact assessment.

• What: Analysis of whether personal data can be legally transferred to countries outside the EEA (e.g. via cloud provider) and whether additional measures are necessary.

• Why: Required for international transfers (often with SCCs).

• Example: Using US SaaS – assessing legislation, access risks and encryption.

DSAR – Data Subject Access Request
= Request from data subjects (access etc.).

• What it is: Managing the rights of individuals: access, rectification, erasure, objection, data portability, etc.

• Why: GDPR requires deadlines (typically 30 days), identity checks and response format.

• Example: A customer requests a copy of all information – you have a standard flow and a log.

What GDPR compliance is not

• Don’t “consent to everything” – choose the right legal basis.

• Not just an IT project – HR, Marketing, Sales and Support are involved.

• Not a one-off exercise – it’s ongoing governance.

Making it easy to get started

Grapes GDPR Compliance online course gives your entire organization the most important information in around 30 minutes. (Danish/English)