GDPR Compliance

Data protection and cyber security is a vital part of ESG-compliance. Data is extremely valuable to every business and therefore must be handled and protected properly. The European GDPR (General Data Protection Regulation), which manages the sustainable and responsible handling of private data, has been conveyed in national data protection laws, for example, the DSGVO (Datenschutz-Grundverordnung) in Germany.

1.1. GDPR Compliance

What is the GDPR and what scope does it have?

For an overview of the GDPR, its scope, and general guidance refer to 🔐Data Protection

How to handle GDPR compliance?

Depending on the size of your company and industry, or what kind of data you process, there are three different approaches founders can take to handle GDPR compliance.


The simplest way is to deal with data protection in-house. This might be the best approach for your company as long as your data flow has a manageable extend.


There are numerous software solutions available that help you to digitalise your data handling and becoming compliant to applicable regulation.

Suitable providers include the following: heyData, secjur and Vanta


Another option would be to contract an agency to take care of your data protection. While this might get a bit costly, it allow you to fully outsource GDPR compliance.

Our Agency: Simpliant ; Contact: Steffen Gross steffen.gross@simpliant.eu

Generally, startups can follow available checklists to determine their data protection needs. The To-Do’s can be divided into four sections:

Lawful basis and transparency
  • What information do you have and who handles it?
  • Is your data processing legally justified?
  • Have you stated your way of handling data in your privacy policy?
Data security
  • Anonymize data whenever possible.
  • Raise awareness within your team.
  • Create a data protection impact assessment.
  • Know how to notify the authorities in the case of a data breach.
Accountability and governance
Privacy rights
  • Third parties have a right to see what information about them you have and how you are using it. Make it easy for third parties to review this information, update it or delete it.
  • Be prepared to offer copies of these data sets.
  • If you make use of automatic data handling, be sure that your processes do not conflict with legitimate interests (e.g. equality).

The official checklist is available here:

Another checklist can be found here:

Best Practices for an early adoption

  • Appoint a data protection officer
  • Classify all data
  • Implement an Application Tracking System (ATS) as soon as possible
  • Train employees in GDPR
  • Document, maintain and enforce privacy policies, procedures and processes
  • Complete a privacy impact assessment
  • Test data breach response procedures