Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > Life After GDPR: 10 steps Ciklum Took to Become Compliant

Life After GDPR: 10 steps Ciklum Took to Become Compliant

Published by Gbaf News

Posted on November 21, 2019

6 min read

Last updated: January 21, 2026

Ciklum team discussing GDPR compliance steps - Global Banking & Finance Review — An image depicting the Ciklum team engaging in a discussion about the 10 steps they implemented to achieve GDPR compliance, emphasizing data protection and privacy practices.

by Dmytro Zelman, Head of Information Security and Privacy, Ciklum

The European Union’s General Data Protection Regulation (GDPR) went into effect throughout Europe on May 25, 2018. Superseding a similar regulation enacted in 1995, GDPR offers EU citizens a greater amount of freedom and control over the use of their personal electronic data and unifies data collection requirements for businesses.

GDPR is based on seven key principles:

Lawfulness, fairness and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

Dmytro Zelman, Head of Information Security and Privacy, Ciklum

Dmytro Zelman, Head of Information Security and Privacy, Ciklum

Ensuring compliance with GDPR isn’t just the law — it’s good practice. Though some of the requirements may seem expensive, time-consuming or burdensome, the end result offers users far more flexibility and transparency regarding how their data is handled.

Because of GDPR, businesses like Ciklum across the world were forced to rethink and restructure many of their data collection policies in order to become compliant. Though many of our existing practices already focused on privacy and security, GDPR allowed Ciklum to take a deeper look at our data collection policies and determine the best ways to become GDPR compliant. We’d like to share those seps with you to offer a greater understanding of our approach to GDPR compliance.

Here are 10 steps Ciklum took to become compliant with GDPR:

Step 1: Increase awareness.

First and foremost, companies need to be aware of the impact GDPR has on their business.

From the top of the organization down, starting with the Executive Board and Leadership teams, Ciklum made sure that every single one of our employees understood the changes to our processes that GDPR would require. Ciklum used a risk-based approach to address any area identified as having potential issues with compliance.

Step 2: Know the data.

One of GDPR’s key data protection principles is accountability. Not only are companies responsible for complying with GDPR, but they must also carry out technical and organizational measures that can demonstrate compliance.

To establish effective and demonstrable data policies and procedures, Ciklum has made data discovery and mapping a key element in understanding how data is acquired, accessed, transferred and stored.

Step 3: Communicate privacy information.

Privacy policies must be reviewed and revised in accordance with GDPR.

Ciklum’s updated Privacy Policy clearly explains how information is gathered, the lawful basis for its use and how long data can remain in our system. We use clear, plain text information regarding data subject rights to ensure users have an accurate and easy-to-understand picture of their privacy rights and understand how we’re collecting and utilizing their data.

Step 4: Fulfill individual rights.

One of GDPR’s key elements entitles users to several individual rights:

The right to be informed
The right of access
The right to rectification
The right to erasure (also known as the right to be forgotten)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

To be compliant with these rights, Ciklum adjusted its procedures, processes and internal systems to ensure users can delete personal data on request and to provide user data electronically in a commonly used format free of charge.

Step 5: Identify lawful basis for processing.

GDPR laws require that personal data is processed lawfully, fairly and transparently.

We’ve enacted the process of identifying and documenting data on a lawful basis. To ensure accountability, Ciklum has updated the Privacy Policies and data processing agreements for our clients and vendors and notified all parties of any changes.

Step 6: Consider consent.

User consent offers individuals choice and control over how their data is used, and the GDPR sets a high standard for how consent can be requested.

Ciklum reviewed our process of gathering, recording and managing individual consent. For instances where individual data may be processed, we provided users with positive opt-in and simple withdrawal options.

Step 7: Deal with data breaches.

Personal data breaches are taken very seriously under the GDPR. Within 72 hours of the discovery of a data breach, companies must carry out a thorough organization, inform both regulators and impacted individuals of the data breach, identify what personal data was impacted and draft a comprehensive plan to contain the breach.

Ciklum is committed to data security, and we have taken great steps to prevent unauthorized access to user data. We have implemented procedures to detect, report and investigate in the event of a breach of personal data. Any data breach that poses a risk to individual rights and freedoms will be reported to our customers and the appropriate data protection authorities.

Step 8: Incorporate data privacy by design and data protection.

Under the data protection by design and default provision of GDPR, every step of an organization’s data processing activities and business practices must incorporate data protection and privacy. Additionally, under certain circumstances, processes known as Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) are required to be carried out for any major project that requires the processing of private or personal data.

In our application development, architecture and design, Ciklum has always considered security and privacy an essential practice by default. To address the requirements of data privacy by design and default, Ciklum established a framework to assess situations where PIAs and DPIAs are required to be conducted, and we have assigned responsibilities to appropriate parties for carrying them out.

Step 9: Designate a data protection officer.

For public authorities or bodies, or for organizations whose core activities require large-scale monitoring or processing of individual data the GDPR requires the appointment of a Data Protection Officer (DPO).

Under this requirement, Ciklum has appointed a designated Data Protection Officer under our organization’s structure and governance. Responsibilities for data protection compliance have also been assigned to people within our organization with relevant knowledge, and have received support and authority to carry out their rules.

Step 10: International

The transfer of personal data outside of the European Union is restricted under the GDPR, no matter the transfer’s size or frequency. International transfer of personal data risks losing the protections offered by the GDPR.

Because Ciklum is a global organization that conducts cross-border transfers, we’ve taken care to determine a lead data protection supervisory authority to prevent international data transmission.