Compliance consulting

Ensure data protection compliance


The key challenges associated with ensuring personal data protection compliance are designing an appropriate personal data management process and establishing accountability for such a process.

As part of our range of consultancy services, we work with you to implement the relevant technical and organizational measures and propose good practices of personal data protection to facilitate compliance. You can rely on our expertise and experience in law, information security, compliance and quality business performance for a holistic view of data protection compliance.


  • Overview of data filing systems
  • Identification of risks
  • Personal data protection
  • Implementation of personal data protection measures
  • Processing of personal data
  • Verification of data management compliance
  • Regular audits of outsourced processors
  • Resolving issues of non-compliance
  • Preventing recurrence of non-action and improving protection


Consulting to ensure regulatory compliance of personal data protection, primarily with regard to EU Regulation No. 2016/679 (General Data Protection Regulation, or GDPR), is carried out in several phases.

Overview of personal data

The first step is to get a clear overview of the personal data you manage or process. You need to establish, for example, what data you provide to outsourced processors such as Mikrocop, what data is transferred to third countries, what special category data you store, and how you protect such data.

Gap analysis

The aim of a gap analysis is to verify the data processing described in your protocols and internal regulations, identify the processes that contain personal data and specific types of data, and assess the gap between the current situation and that required by the regulations. The gap analysis output is a list of all processing activities, the anticipated scope of activities, estimates of the time needed to establish data processing records, prepare or amend identification plans, and prepare impact assessments.

Records of personal data processing activities

The next step is to establish records of personal data processing activities. Based on the gap analysis and process list, we review the amendments to the said processes required by the GDPR (unlike the Slovenian Personal Data Protection Act (ZVOP-1)), management of the databases necessary to perform data processing, and the properties of established integrations.

Classification plan

If necessary, we then draw up or amend a classification plan. Every instance of personal data processing must be justified, and data storage periods must be defined in the classification plan. We carefully review all storage periods and define the start and duration of storage periods for all types of processing. If you do not have a classification plan or if it is incomplete, we can advise you on drafting or amending the plan to achieve compliance.

Internal rules

If it is established that modification of the classification plan might also require amendments to the internal rules, we will also prepare or amend such rules. The latter applies if your internal rules have been confirmed by the Archive of the Republic of Slovenia.

Collaboration with external data processors

Working closely with you, we will verify the reliability of your external data processors and assess whether the existing agreements with these sub-processors need to be revised. It is normally necessary to specify the contents and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the rights and obligations of the processor.

Ensure data protection compliance



Our team of consultants combines expertise in law, information security, compliance and quality business performance.


We will continue to work with you as your external DPO after ensuring initial compliance which is an ongoing process rather than a one-off adjustment.


We use industry-proven and highly effective methodological approaches to help you get where you want to be.


In harmonizing the personal data protection, a gap analysis was carried out. We effectively closed any gaps identified in the analysis, thereby ensuring prompt compliance with the GDPR and utilizing the harmonization process to outline the starting points for digitization.

Boris Šušmak, Luka Koper


What is personal data?

Personal data means any information relating to an identified or identifiable individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

What are the core principles of personal data protection?

  1. Lawfulness, fairness and transparency of processing of personal data
  2. Limiting the purpose of processing personal data
  3. Minimum amount of data – adequate, relevant and limited to what is necessary for the purpose of processing
  4. Data accuracy, completeness and currency
  5. Limiting data to be stored in a form that permits identification for only as long as is necessary
  6. Security, integrity and confidentiality of personal data – protection against unauthorized or unlawful processing, accidental loss, destruction or damage to the personal data using appropriate technical and organizational measures
  7. Responsibility of the controller and outsourced processor of personal data to ensure compliance with the regulation

What are the legal grounds for collecting, managing, processing and storing personal data?

What rights does an individual have?

  • Right to erasure
  • Right to restriction of processing
  • Right to object
  • Right to transfer data
  • Right to withdraw consent

When can an individual request to exercise the right to be forgotten?

  • An individual may withdraw the consent on which the processing is based and for which there are no other legal grounds for processing
  • An individual may object to the legitimate interest of the processing
  • Personal data have been collected in relation to the provision of information society services directly to a child

Where can personal data be found?

  • In documents and metadata
  • In IT systems
  • In databases
  • In customer support systems
  • In process improvement tools
  • In shared folders
  • In cloud storage…

What are the responsibilities and liabilities of a personal data controller?

  • Protecting the rights of individuals
  • Implementing appropriate measures and policies for the protection of personal data
  • Ensuring the legality and security of personal data processing
  • Selecting suitable personal data protection

What are impact assessments and when are they necessary?

Impact assessments are essential for the processing of specific personal data and are advisable for all other processing incidences where the type of processing may pose a significant risk to the rights and freedoms of individuals. Impact assessments cover:

  • a systematic description of the anticipated processing and the purpose thereof, and, where appropriate, the lawful interests pursued by the processor,
  • an assessment of the necessity and proportionality of processing operations with respect to the purpose thereof,
  • an assessment of the risks to the rights and freedoms of data subjects,
  • measures to address risks (including safeguards) security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance.

Do you want to
ensure compliance?

Contact us