GDPR came into effect over five years ago. However, not everyone managed to get out of the starting blocks in 2018. Some have stumbled significantly along the way.

Us who have been actively involved in GDPR compliance since 2018 have gained valuable insights throughout the journey. Many of us have experienced that the initial GDPR project leading up to May 1, 2018, failed, but that efforts have yielded more favourable results the second time around. By adopting a well-considered, risk-based approach to data protection, many organisations can make significant strides in establishing robust data protection practices through straightforward means.

Data protection work is an ongoing process where one may never reach the finish line entirely. Nevertheless, it is not a shield to hide behind if one did not attain full compliance at the outset five years ago. We observe many organisations that have remained on the sidelines, experiencing pangs of concern whenever GDPR-related issues sporadically surface in news headlines, seminars, or meetings. This concern is particularly pronounced when reading about events such as inspections and subsequent penalties imposed by Data Protection Authorities.

Not all businesses process personal data as a core part of their operations or require sophisticated marketing practices necessitating more intricate assessments. Nonetheless, most organisations require a structured “GDPR programme,” and failure to implement one can result in substantial business risk.

Our clients often seek effective documentation tools and simplified processes that employees can readily follow to manage various situations.

We have observed that many organisations, without substantial resource investments, can transition from non-compliance with fundamental GDPR requirements (which can substantially compromise data subjects’ privacy and expose the company to considerable business risk, particularly during inspections) to achieving a significantly reduced risk profile for both the organisation and the individuals whose personal data they process.

Here are our top recommendations for re-engaging with GDPR compliance if you are uncertain about your level of control:

  • Gain renewed insights into the essence of GDPR. It may differ from your initial expectations. Perhaps it is much simpler than you might think. Seek guidance from experts who can help you embark on the right path.
  • Leverage effective systematic management practices already in place within your organisation. Integrate GDPR processes seamlessly into your existing structures and procedures, simplifying comprehension and adherence for leaders and employees alike.
  • Utilise reputable GDPR-specific templates for documentation. These templates are readily available from Data Protection Authorities. If needed, the UK’s Information Commissioner’s Office (ICO) offers numerous valuable English-language resources.
  • Prioritise employee training. Ultimately, it is your employees who ensure compliance. While they may not require a comprehensive understanding of the entire GDPR, they need to be aware of how it applies to their roles. Leadership holds the responsibility to provide them with the necessary support.


Do you still find GDPR challenging?

Agenda Risk stands ready to assist you on your compliance journey. Feel free to get in touch, and we will guide you back on track.

Ingrid is a social anthropologist from Oslo. She holds more than ten years of experience in corporate governance, internal control, compliance, and risk management across both public and private sectors. Prior to joining Agenda Risk Ingrid most recently worked at Elkjøp and TINE, where she contributed with her extensive expertise within the fields of corporate governance, strategic risk management, support, and risk management training for both TINE and its subsidiaries. Additionally, she played a pivotal role in the development of tools and systems. Ingrid has served as a data protection officer at both TINE and Elkjøp, amassing significant experience and competence in this domain.