The General Data Protection Regulation (GDPR), the European Union’s landmark data privacy law, took effect in 2018. Yet many organizations still struggle to meet compliance requirements, and EU data protection authorities do not hesitate to hand out penalties.

Even the world’s biggest businesses are not free from GDPR woes. Irish regulators hit Meta with a EUR 1.2 billion fine in 2023. Italian authorities are investigating OpenAI for suspected violations, even going so far as to ban ChatGPT briefly.

Many businesses find it hard to implement GDPR requirements because the law is not only complex but also leaves a lot up to discretion. The GDPR puts forth a litany of rules for how organizations in and outside of Europe handle the personal data of EU residents. However, it gives businesses some leeway in how they enact those rules.

The details of any organization’s plan to become fully GDPR compliant will vary based on the data the organization collects and what it does with that data. That said, there are some core steps that all companies can take when implementing the GDPR: 

• Inventory personal data
• Identify and protect special category data 
• Audit data processing activities
• Update user consent forms  
• Create a recordkeeping system
• Designate compliance leads
• Draft a data privacy policy
• Ensure third-party partners are compliant
• Build a process for data protection impact assessments
• Implement a data breach response plan
• Make it easy for data subjects to exercise their rights
• Deploy information security measures

Do I need to implement GDPR? 

The GDPR applies to any organization that processes the personal data of European residents, regardless of where that organization is based. Given the interconnected and international nature of the digital economy, that includes many—maybe even most—businesses today. Even organizations that don’t fall under the GDPR’s purview may adopt its requirements to strengthen data protections.

More specifically, the GDPR applies to all data controllersand data processors based in the European Economic Area (EEA). The EEA includes all 27 EU member states plus Iceland, Liechtenstein, and Norway. 

A data controller is any organization, group, or person that collects personal data and determines how it is used. Think: an online retailer that stores customers’ email addresses to send order updates.

A data processor is any organization or group that conducts data processing activities. The GDPR broadly defines “processing” as any action performed on data: storing it, analyzing it, altering it, and so on. Processors include third parties that process personal data on a controller’s behalf, like a marketing firm that analyzes user data to help a business understand key customer demographics.

The GDPR also applies to controllers and processors that are located outside the EEA if they meet at least one of the following conditions: 

• The company regularly offers goods and services to EEA residents, even if no money changes hands.
• The company regularly monitors the activity of EEA residents, such as by using tracking cookies. 
• The company processes personal data on behalf of controllers in the EEA. 
• The company has employees in the EEA.

There are a few more things worth noting about the GDPR’s scope. First, it is only concerned with the personal data of natural persons, also called data subjects in GDPR parlance. A natural person is a living human being. The GDPR does not protect the data of legal persons, like corporations, or the deceased.

Second, a person does not need to be an EU citizen to have GDPR protections. They merely need to be a formal resident of the EEA.

Finally, the GDPR applies to the processing of personal data for virtually any reason: commercial, academic, governmental, and otherwise. Businesses, hospitals, schools, and public authorities are all subject to the GDPR. The only processing operations exempt from the GDPR are national security and law enforcement activities and purely personal uses of data.

GDPR implementation steps 

There is no such thing as a one-size-fits-all GDPR compliance plan, but there are some foundational practices that organizations can use to guide GDPR implementation efforts.

For a list of the key GDPR requirements, see the GDPR compliance checklist. 

Inventory personal data  

While the GDPR does not explicitly require a data inventory, many organizations start here for two reasons. First, knowing what data the company has and how it is processed helps the organization better understand its compliance burdens. For example, a business that collects user health data needs stronger protections than one that collects only email addresses.

Second, a comprehensive inventory makes it easier to comply with user requests to share, update, or delete their data. 

A data inventory can record details like:

• Types of data collected (usernames, browsing data)
• Data populations (customers, employees, students)
• How data is collected (event registrations, landing pages)
• Where data is stored (on-premises servers, cloud services)
• The purpose of data collection (marketing campaigns, behavioral analysis)
• How data is processed (automated scoring, aggregation)
• Who has access to data (employees, vendors)
• Existing safeguards (encryption, multi-factor authentication) 

It can be difficult to track down personal data that is scattered throughout the organization’s network in various workflows, databases, endpoints, and even shadow IT assets. To make data inventories more manageable, organizations can consider using data protection solutions that automatically discover and classify data. 

Learn how IBM Guardium® Data Protection automatically discovers, classifies, and protects sensitive data across major repositories like AWS, DBaaS, and on-premises mainframes.

Identify and protect special category data 

When inventorying data, organizations should make a note of any especially sensitive data that requires extra protection. The GDPR mandates added precautions for three kinds of data in particular: special category data, criminal conviction data, and children’s data.  

• Special category data includes biometrics, health records, race, ethnicity, and other highly personal information. Organizations usually need a user’s explicit consent to process special category data. 

• Criminal conviction data can only be controlled by public authorities and processed at their direction. 

• Children’s data cannot be processed without parental consent, and organizations need mechanisms to verify the ages of data subjects and the identities of their parents. Each EEA state sets its own definition of “child” under the GDPR. Cut-offs range from under 13 to under 16 years old. Companies must be prepared to comply with these varying definitions. 

Audit data processing activities 

During the data inventory, organizations record any processing operations the data undergoes. Then, organizations must ensure that these operations comply with GDPR processing rules. Some of the most important GDPR principles include the following:

• All processing must have an established legal basis: Data processing is only acceptable if the organization has an approved legal basis for that processing. Common legal bases include obtaining user consent, processing data to execute a contract with the user, and processing data for the public interest. Organizations must document the legal basis for every processing operation before beginning.

For a full list of approved legal bases, see the GDPR compliance page.

• Purpose limitation: Data should be collected and used for a specifically defined purpose. 

• Data minimization: Organizations should collect the minimum amount of data necessary for their specified purpose. 

• Accuracy: Organizations should ensure that the data they collect is correct and current. 

• Storage limitation: Organizations should securely dispose of data as soon as its purpose is fulfilled. 

For a complete list of GDPR processing principles, see the GDPR compliance checklist.

Update user consent forms  

User consent is a common legal basis for processing. However, consent is only valid under the GDPR if it is informed, affirmative, and freely given. Organizations may need to update consent forms to meet these requirements.

• To ensure that consent is informed, the organization should clearly explain what it collects and how it will use that data at the point of data collection.

• To ensure that consent is affirmative, organizations should adopt an opt-in approach, where users must actively check a box or sign a statement to signal consent. Consents cannot be bundled, either. Users must agree to each processing activity individually.  

• To ensure that consent is free, organizations can only require consent for data processing activities that are genuinely integral to a service. In other words, a business cannot force users to disclose their political opinions to buy a t-shirt. Users must be able to revoke consent at any time.  

Create a recordkeeping system 

Organizations with more than 250 employees, and companies of any size that regularly process data or handle high-risk data, must keep written electronic records of their processing activities. 

However, all organizations may want to keep such records. Not only does this help track privacy and security efforts, but it can also demonstrate compliance if an audit or breach occurs. Companies can lessen or avoid penalties if they can prove that they made a good-faith effort to comply.  

Data controllers may want to keep particularly robust records, as the GDPR holds them accountable for the compliance of their partners and vendors. 

Designate GDPR compliance leads  

All public authorities and any organizations that regularly process special category data or monitor subjects on a large scale must appoint a data protection officer (DPO). A DPO is an independent corporate officer in charge of GDPR compliance. Common responsibilities include overseeing risk assessments, training employees on data protection principles, and working with government authorities.

While only some organizations are required to appoint DPOs, all may want to consider doing so. Having a designated GDPR compliance lead can help streamline implementation.

DPOs can be employees of a business or external consultants who offer their services on contract. DPOs must report directly to the highest level of management. The company cannot retaliate against a DPO for doing their duties. 

Organizations outside the EEA must appoint a representative within the EEA if they regularly process the data of EEA residents or handle highly sensitive data. The EEA representative’s main duty is coordinating with data protection authorities on the company’s behalf during investigations. The representative can be an employee, an affiliated company, or a hired service. 

The DPO and the EEA representative are different roles with different responsibilities. Notably, the representative acts at the organization’s direction, while the DPO must be an independent officer. An organization cannot appoint one party to serve as both DPO and EEA representative.

If an organization operates in multiple EEA states, it must identify a lead supervisory authority. The lead supervisory authority is the main data protection authority (DPA) overseeing GDPR compliance for that company throughout Europe. 

Typically, the lead supervisory authority is the DPA in the member state where the organization has its headquarters or conducts its core processing activities. 

Draft a data privacy policy 

The GDPR requires that organizations keep people informed about how they use their data. Companies can meet this requirement by drafting privacy policies that clearly describe their processing operations, including what the company collects, retention and deletion policies, user rights, and other relevant details.

Privacy policies should use plain language that anyone can understand. Hiding important information behind dense jargon can violate the GDPR. Organizations can ensure that users see their policies by sharing privacy notices at the point of data collection. Organizations can also host their privacy policies on public, easy-to-find pages on their websites. 

Ensure third-party partners are compliant 

Controllers are ultimately responsible for the personal data that they collect, including how their processors, vendors, and other third parties use it. If partners are noncompliant, controllers can be penalized. 

Organizations should review their contracts with any third parties who have access to their data. These contracts should clearly spell out the rights and responsibilities of all parties with respect to the GDPR in a legally binding way.

If an organization works with processors outside the EEA, those processors still need to meet GDPR requirements. In fact, data transfers outside the EEA are subject to strict standards. Controllers in the EEA can only share data with processors outside the EEA if one of the following criteria is met:

• The European Commission has deemed the country’s privacy laws adequate
• The European Commission has deemed the processor to have sufficient data protections
• The controller has taken steps to ensure that the data is protected

One way to ensure that all partnerships and data transfers comply with the GDPR is to use standard contractual clauses. These prewritten clauses are preapproved by the European Commission and freely available for any organization to use. Inserting these clauses into a contract makes it GDPR compliant, provided each party abides by them. For more information on standard contractual clauses, see the European Commission website (link resides outside ibm.com).

Build a process for data protection impact assessments

The GDPR requires organizations to conduct data protection impact assessments (DPIAs) before any high-risk processing. While the GDPR offers a few examples—using new technologies, large-scale processing of sensitive data—it does not exhaustively list every high-risk activity.

Organizations may consider conducting a DPIA before any new processing operation to be safe. Others may use a simplified pre-screening to determine whether the risk is high enough to warrant a DPIA.

At a minimum, a DPIA must describe the processing and its purpose, assess the necessity of the processing, evaluate risks to data subjects, and identify mitigation measures. If the risk remains high after mitigation, the organization must consult with a data protection authority before moving forward. 

Learn how IBM Guardium® Insights can help streamline compliance reporting with preconfigured workflows for GDPR, CCPA, and other key regulations.

Implement a data breach response plan 

Organizations must report most personal data breaches to a supervisory authority within 72 hours. If the breach poses a risk to data subjects, such as identity theft, the company must also notify the subjects. Notifications must be sent directly to victims unless doing so would be infeasible. In that case, public notice is sufficient.

Organizations need effective incident response plans that swiftly identify ongoing breaches, eradicate threats, and notify authorities. Incident response plans should include tools and tactics to recover systems and restore information security. The faster an organization regains control, the less likely it is to suffer serious regulatory action.

Organizations can also take this opportunity to strengthen data security measures. If a breach is unlikely to harm users—for example, if the stolen data is so heavily encrypted that hackers can’t use it—the company does not need to notify data subjects. This can help avoid the reputation and revenue damage that can follow a data breach.

Make it easy for data subjects to exercise their rights 

The GDPR grants data subjects rights over how organizations use their data. For example, the right of rectification lets users correct inaccurate or outdated data. The right to erasure lets users have their data deleted.

Generally speaking, organizations must comply with data subjects’ requests within 30 days. To make requests more manageable, organizations can build self-service portals where subjects can access their data, make changes, and restrict its use. Portals should include a way to verify subjects’ identities. The GDPR puts the burden on organizations to verify that requesters are who they say they are.

Automated decisions and profiling 

Data subjects have special rights regarding automated processing. Specifically, organizations cannot use automation to make significant decisions without a user’s consent. Users have the right to contest automated decisions and request that a human review the decision. 

Organizations can use self-service portals to give data subjects a way to contest automated decisions. Companies must also be prepared to appoint human reviewers as needed. 

Data portability 

Data subjects have the right to transfer their data anywhere they want, and organizations must facilitate those transfers. 

In addition to making it easy for users to request transfers, organizations should store data in a shareable format. Using proprietary formats can make transfers difficult and impede users’ rights. 

For a full list of data subject rights, see the GDPR compliance page.

Deploy information security measures

The GDPR requires that organizations use reasonable data protection measures to close system vulnerabilities and prevent unauthorized access or illegal use. The GDPR doesn’t mandate specific measures, but it does state that organizations need both technical and organizational controls.

Technical security controls include software, hardware, and other technology tools, like SIEMs and data loss prevention solutions. GDPR heavily encourages encryption and pseudonymization, so organizations may want to implement these controls in particular. 

Organizational measures include processes like training employees on GDPR rules and implementing formal data governance policies. 

The GDPR also directs companies to adopt the principle of data protection by design and by default. “By design” means that companies should build data privacy into systems and processes from the start. “By default” means that the default setting for any system should be the one that maintains the most user privacy. 

Learn how IBM data security and protection solutions secure data across hybrid clouds and simplify compliance requirements.

Why GDPR compliance matters 

Any organization that wants to operate in the European Economic Area (EEA) must comply with the GPDR. Noncompliance can have serious consequences. The most significant violations can result in fines of up to EUR 20,000,000 or 4% of the organization’s worldwide revenue in the previous year, whichever is higher.

But data compliance isn’t just about avoiding consequences. It has benefits, too. Aside from the fact that GDPR compliance lets organizations access one of the world’s largest markets, GDPR principles can significantly strengthen data security measures. Organizations can stop more data breaches before they happen, avoiding an average cost of USD 4.45 million per breach.

GDPR compliance can also boost a business’s reputation and build trust with consumers. People generally prefer to do business with organizations that meaningfully protect customer data.

The GDPR has inspired similar data protection laws in other regions, including the California Consumer Privacy Act and India’s Digital Personal Data Protection Act. The GDPR is often considered one of the strictest of these laws, so complying with it can position organizations to comply with other regulations as well.

Finally, if a company does run afoul of the GDPR, demonstrating some level of compliance can help soften the repercussions. Regulatory bodies weigh factors like existing cybersecurity controls and cooperation with supervisory authorities when determining penalties.