What Do I Need to Do to Become GDPR Compliant?

by Joanna Pineda Posted on April 10, 2018

Guest post by Tanya Kennedy Luminati, MatrixMaxx Product Manager

What are the next steps once you know what GDPR is?

Officially start your security/compliance/privacy efforts

This is your first step: Read about GDPR on the Matrix Group blog, and start to learn more.

Track any efforts 

Team meetings, staff meetings, webinars, research, actions. It is widely recognized that not everyone will be ready for the May 2018 enforcement deadline, so it is critical to show a good faith effort in starting your analysis process. Documentation of your efforts is critical to proving this.

Learn more!

Many groups and vendors are offering free webinars on GDPR. Sign up and attend one; the more you know the better informed you’ll be.

A variety of organizations are hosting forums on this topic. For example, if you are an ASAE member, you have access to their GDPR collaborate forum.

Figure out your organization’s role

There is a shared responsibility for this between the Controller and the Processor.

Matrix Group, as a web services and software provider, is a Processor of data. Matrix Group’s clients are Controllers of their data. (e.g., The Association of Widget Makers, The Society of Professional People, ACME company, etc. are all Controllers.)

In other words, we here at Matrix Group must provide tools to support the processes and procedures of GDPR, but Controllers have ultimate responsibility to determine how GDPR will impact them, and then use the tools vendors/processors (like Matrix Group) provide to put processes into place to comply with GDPR.

For example, if a user requests access to all of their data …

Do a gap assessment: Where are you and where do you need to be?

The key questions to ask all revolve around your data:

And once you’ve analyzed your flow of data, it is time to analyze what you need to do in order to comply with these new regulations. You may need:

Reach out to your vendors and partners

At this point, any software/system partner should be thinking about their response to new privacy and security regulations like GDPR.

Here at Matrix Group:

Is there a checklist for GDPR ‘compliance’? Can we all get certified as compliant?

The concept of GDPR compliance certification has been established in the regulations, but it has not yet been fleshed out to the point of actually going into practice. So at this point, as of March 2018, if someone tells you they are certified compliant with GDPR, that is false.  

Looking ahead

We are moving into a permissions-driven economy. The days are vanishing when you can get a hold of someone’s email address and then send them endless amounts of email. You are going to need to politely and persuasively ask them for their data and explain how you are going to use it. You are going to need to be thoughtful about it. And you’re going to need to respect their desire for privacy while also wanting to utilize of your services.

As marketers of services, this can initially seem frustrating. But turn it around and think about yourself as a consumer. Haven’t you griped about the amount of email you get? Haven’t you wished your name would stop being shared with companies you don’t care about?  These regulations are coming in effect to force a worldwide respect of individual privacy and to make the cyber-world better for all us as individuals. In time, we may even view this focus on privacy and security as an implicit expectation, in the same way organizations are now expected to be think about sustainability as a key operations value. All of this is a good thing.



This is one of Matrix Group’s installments on GDPR, Privacy, and Security. We at Matrix Group are not lawyers or GDPR consults; do not take this info as absolute. Use this information as a starting point in:



Related Articles