It’s an important subject for many organizations: the GDPR. From 25 May 2018 on, this legislation comes into force for the entire European Union and organizations must meet the new regulations. Is your organization ready? We’d like to give you 6 tips to get you started.


If you use an application like TOPdesk, you’re registering information about other persons. This makes the new EU General Data Protection Regulations (GDPR) relevant for your organization. Every country within the EU implements the regulations in their own legislation.

Do you want to know how we at TOPdesk handle the new legislation? Check out more about our GDPR compliance here.

1. Mapping your data processing

Under the new regulations, you are required to record any personal data you process, with what purpose, who you share it with and how you plan to ensure to keep in line with the regulations. In some cases it’s necessary to perform a privacy impact assessment.

2. Asking permission to use data

You often use software to support your colleagues or customers. Asking permission to record their personal data is not always required; for example, when this data is limited to what’s necessary for performing the agreement. In other cases, you’ll need to ask permission. To find out what applies to your organization, please check your country’s legislation on this matter.

3. Right of access, correction and/or deletion

You, as recording party, are expected to be transparent about what you record about someone. The people involved may ask you to make changes to incorrect data, or even delete it. Be prepared and keep your support department up-to-date on how to deal with these requests.

4. Conclude data processing agreements with (cloud) suppliers

Do you use SaaS software to process personal data? Then you need to make sure that you, as controller, conclude a processing /controller agreement (two names, same document) with your supplier, the so-named processer. In this document, you lay down clear agreements about each other’s role regarding the processing of personal data. For example, about confidentiality and how to handle data leaks.

What these agreements comprise depends on the services rendered. That’s why it’s smart to ask the supplier if they have a model agreement. This is a good opportunity to see how prepared your supplier is.

5. Setting up a security incident process

Avoid stress by thinking ahead about how you want to act when a security risk occurs. In some cases, the controller needs to report a data breach within 72 hours to your government’s Data Protection Authority. Or even with the persons whose data has been breached. That’s why it’s important to create a workflow for security incidents. With this workflow, the right person can take a decision about the steps that need to be taken.

6. Appointing a data protection official

In 2018, some organizations are required to have an appointed data protection official for specific situations. Most organizations won’t need this official. However, it’s still smart to have someone available who knows what’s going on. He or she can keep an eye on your government’s website dedicated to data protection and follow webinars on this subject, for example. This helps you avoid any mistakes that may lead to large fines or damage to your organization’s reputation.

You can read more about our views on GDPR on this page.