GDPR implementation in an outsourcing IT company

An international company with offices in the USA and the CIS, whose customers mostly come from the European Union. One of the company's core activities is the development of software, which primarily deals with personal data. As the company offers maintenance of the developed software, its employees often gain access to the client's servers in the EU. This process is considered as processing under Article 4 of the GDPR. Also, the company conducts active marketing campaigns directed at decision-makers of European companies, including email marketing and direct marketing on social networks. All these factors make the company a controller of personal data.
Project goals and objectives
  • Eliminating the threat of losing clients from the EU who are afraid of the transfer of personal data to Belarus, Russia, and Ukraine, i.e. to countries that do not offer an adequate level of data protection.
  • Protecting the company from the risk of a fine or a complaint for the use of personal data without consent for email marketing and other activities.
Project summary
Leading expert of DPO LLC Siarhei Varankevich recommended to create a project team to implement the GDPR made of representatives of the following departments: information security, finance, HR, legal, software development, and quality assurance.Eight working sessions were held within four months with the participation of Siarhei Varankevich. The company’s employees selected during these sessions 38 out of 139 activities of the Nymity Privacy Management Accountability Framework, ranked them by priority, assigned tasks and decided who would be responsible for their realization. For each new activity, Siarhei gave a full explanation on how to implement it and what documents would serve as evidence of implementation. He also provided the employees with the necessary tools and templates.
Project results
  • Identifying individuals responsible for data privacy, and establishing report procedure management;
  • Data protection risk assessment at the enterprise level was carried out;
  • Employees have been familiarized with personal data protection policies and were required to comply with them;
  • Inventory of key personal data storage, including sensitive information, and data flows. Data are entered in the Records of Processing Activities according to Article 30 of the GDPR;
  • Using SCC as a data transfer mechanism, cross-border data transfers were formalized with the majority of contractors;
  • Internal instruction for data protection was developed;
  • Legal grounds for data processing under Article 6 of the GDPR were documented;
  • Privacy policies for company's websites were developed and drafted;
  • Data protection activities were included in direct marketing practices;
  • Bring Your Own Device (BYOD) rules and procedures were developed and implemented;
  • Personal data protection training was provided;
  • Personal data protection was included in the information security policy; 
  • Implementing measures to encrypt personal data;
  • Enforcing procedures to restrict access to personal data (e.g., role-based access, allocation of responsibilities);
  • Applying due diligence procedures regarding data privacy and security to potential suppliers and subprocessor.


Siarhei Varankevich CIPP/E, CIPM, MBA
Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016

Siarhei delivered hundreds of consultations on GDPR issues to companies around the world. He helped to implement the GDPR program as an external project manager in over 50 companies.

In LinkedIn

Recommended services

GDPR express course from EU certified data protection professionals.
GDPR Implementation
GDPR Roadmap+ Implementation Program
Training and consulting support of the working group on the GDPR implementation, ad hoc consultations on problematic areas.
The course is loading, wait a few seconds