The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.

GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations.

10 steps to GDPR compliance: How prepared are you?

1. Learn about what’s coming
If you’re reading this, you’re probably familiar with the GDPR. But according to our GDPR Report, published in July 2017, only 66% of senior management have been briefed on the Regulation.

Senior management will have a big say on how their organisation prepares for the Regulation, so it’s paramount that they know what’s coming, what they need to do and the risks of failing to comply. Everyone else in the organisation responsible for regulatory compliance and data processing will also need to understand their obligations.

2. Become accountable

The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:

  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties, and on what basis might you do so?

3.  Review personal privacy rights

Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:

  • The right to be informed
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to access

Most of these rights are similar to those in current data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.

4. Communicate with staff and service users

You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.

5. Learn about legal grounds

Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.

There are five other lawful grounds for processing data:

  • A contract with the individual
  • Compliance with a legal obligation
  • Vital interests
  • A public task
  • Legitimate interests

Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.

6. Change your consent requests

There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests.

7. Research child consent policies

The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.

For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.

Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.

8. Appoint a data protection officer

The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.

Although only certain organisations need to appoint a DPO, the Article 29 Working Party recommends that all organisations appoint one as a matter of good practice.

9. Plan for data breaches

One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.

10. Adopt a privacy-by-design approach

Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a data protection impact assessment (DPIA) before undertaking new projects or initiatives.

DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.

Get help preparing for the GDPR

If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments and data protection by design.

We are running our First Steps to GDPR compliance webinar a number of times over the next few months. The presentation explains the basics of the Regulation and what you need to do before the compliance deadline.


All organizations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018. By beginning to implement data protection policies and solutions now, companies will be in a much better position to achieve GDPR compliance when it takes effect. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements.

The General Data Protection Regulation not only applies to businesses in the EU; all businesses marketing services or goods to EU citizens should be preparing to comply with GDPR as well. By complying with GDPR requirements, businesses will benefit from avoiding costly penalties while improving customer data protection and trust.


In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.

The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.

How do the regulations seek to protect consumers?

Basically, GDPR protects user data in just about every conceivable way. The GDPR operates with an understanding that data collection and processing provides the basic engine that most businesses run on, but it unapologetically strives to protect that data every step of the way while giving the consumer ultimate control over what happens to it.

In order to be GDPR-compliant, a company must not only handle consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them that they want.

Companies that wish to stay in compliance must implement processes (and in many cases, add personnel) to ensure that when data is handled, it remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization and encryption.

Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user one identifier for location and another for browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. The regulation promotes pseudonymization over anonymization.

According to GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. At its core, the protections have to do with processes and communications that are clear and concise and are done with the explicit and affirmative consent of the data subjects.

How do the regulations seek to protect consumers?
Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides.

Strong penalties. Breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.

Simplified and strengthened consent from data subjects. Consent must be given in an easy-to-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.

Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.

A reiteration of important consumer rights. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. Additionally, it will also allow customers to move their data from one service provider to another.

Better systems. In order to comply with the core foundation of “privacy by design,” GDPR requires processes to be built with data protection in mind, rather than treated as an afterthought.

Specific protection for children. Since kids are generally more vulnerable and less aware of risks, GDPR includes guidance that includes parental consent for children up to age 16.

Which GDPR requirements will affect my company?

The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.

That last item is also known as the right to be forgotten. There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.

Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined.

What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.

What happens if my company is not in compliance with the GDPR?

The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52 percent of companies believe they will be fined for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.

If your organization is not in compliance by the May 25 deadline, it will not be alone. Estimates vary, but the consensus is that about half of the U.S. companies that should be compliant will not be on all requirements. According to a survey by Solix Technologies released in December, 22 percent of companies were still unaware that they must comply with GDPR. Thirty-eight percent said that the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle.

One particularly difficult requirement will be the right to be forgotten, described below. Nearly two-thirds (66 percent) of the Solix survey respondents say they are unsure if they can purge an individual’s personal information forever by deadline.

That leaves a lot of organizations vulnerable to fines. The big unanswered question is how penalties will be assessed. For example, how will fines differ for a breach that has minimal impact on individuals versus one where their exposed PII results in actual damage? The consensus is that the regulators will quickly act on a few companies found to be not in compliance early on to send a message. Then, organizations can make a better assessment of what to expect in the event of a non-compliance finding.

Who within my company will be responsible for compliance?

The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.

Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.

The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.

Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.