The General Data Protection Regulation (GDPR), the European Union’s landmark data privacy law, took effect in 2018. Yet many organizations still struggle to meet compliance requirements, and EU data protection authorities do not hesitate to hand out penalties. Even the world’s biggest businesses are not free from GDPR woes. Irish regulators hit Meta with a EUR 1.2 billion fine in 2023. Italian authorities are investigating OpenAI for suspected violations, even going so far as to ban ChatGPT briefly. Many businesses find it hard to implement GDPR requirements because the law is not only complex but also leaves a lot up to discretion. The GDPR puts forth a litany of rules for how organizations in and outside of Europe handle the personal data of EU residents. However, it gives businesses some leeway in how they enact those rules. The details of any organization’s plan to become fully GDPR compliant will vary based on the data the organization collects and what it does with that data. That said, there are some core steps that all companies can take when implementing the GDPR:
- Inventory personal data
- Identify and protect special category data
- Audit data processing activities
- Update user consent forms
- Create a recordkeeping system
- Designate compliance leads
- Draft a data privacy policy
- Ensure third-party partners are compliant
- Build a process for data protection impact assessments
- Implement a data breach response plan
- Make it easy for data subjects to exercise their rights
- Deploy information security measures
Do I need to implement GDPR?
The GDPR applies to any organization that processes the personal data of European residents, regardless of where that organization is based. Given the interconnected and international nature of the digital economy, that includes many—maybe even most—businesses today. Even organizations that don’t fall under the GDPR’s purview may adopt its requirements to strengthen data protections. More specifically, the GDPR applies to all data controllers and data processors based in the European Economic Area (EEA). The EEA includes all 27 EU member states plus Iceland, Liechtenstein, and Norway. A data controller is any organization, group, or person that collects personal data and determines how it is used. Think: an online retailer that stores customers’ email addresses to send order updates. A data processor is any organization or group that conducts data processing activities. The GDPR broadly defines “processing” as any action performed on data: storing it, analyzing it, altering it, and so on. Processors include third parties that process personal data on a controller’s behalf, like a marketing firm that analyzes user data to help a business understand key customer demographics. The GDPR also applies to controllers and processors that are located outside the EEA if they meet at least one of the following conditions:
- The company regularly offers goods and services to EEA residents, even if no money changes hands.
- The company regularly monitors the activity of EEA residents, such as by using tracking cookies.
- The company processes personal data on behalf of controllers in the EEA.
- The company has employees in the EEA.
There are a few more things worth noting about the GDPR’s scope. First, it is only concerned with the personal data of natural persons, also called data subjects in GDPR parlance. A natural person is a living human being. The GDPR does not protect the data of legal persons, like corporations, or the deceased. Second, a person does not need to be an EU citizen to have GDPR protections. They merely need to be a formal resident of the EEA. Finally, the GDPR applies to the processing of personal data for virtually any reason: commercial, academic, governmental, and otherwise. Businesses, hospitals, schools, and public authorities are all subject to the GDPR. The only processing operations exempt from the GDPR are national security and law enforcement activities and purely personal uses of data.
GDPR implementation steps
There is no such thing as a one-size-fits-all GDPR compliance plan, but there are some foundational practices that organizations can use to guide GDPR implementation efforts. For a list of the key GDPR requirements, see the GDPR compliance checklist.
- Inventory personal data
- Identify and protect special category data
- Audit data processing activities
- Update user consent forms
- Create a recordkeeping system
While the GDPR does not explicitly require a data inventory, many organizations start here for two reasons. First, knowing what data the company has and how it is processed helps the organization better understand its compliance burdens. For example, a business that collects user health data needs stronger protections than one that collects only email addresses. Second, a comprehensive inventory makes it easier to comply with user requests to share, update, or delete their data. A data inventory can record details like:
- Types of data collected (usernames, browsing data)
- Data populations (customers, employees, students)
- How data is collected (event registrations, landing pages)
- Where data is stored (on-premises servers, cloud services)
- The purpose of data collection (marketing campaigns, behavioral analysis)
- How data is processed (automated scoring, aggregation)
- Who has access to data (employees, vendors)
- Existing safeguards (encryption, multi-factor authentication)
It can be difficult to track down personal data that is scattered throughout the organization’s network in various workflows, databases, endpoints, and even shadow IT assets. To make data inventories more manageable, organizations can consider using data protection solutions that automatically discover and classify data.
Learn how IBM Guardium® Data Protection automatically discovers, classifies, and protects sensitive data across major repositories like AWS, DBaaS, and on-premises mainframes.
Identify and protect special category data
When inventorying data, organizations should make a note of any especially sensitive data that requires extra protection. The GDPR mandates added precautions for three kinds of data in particular: special category data, criminal conviction data, and children’s data.
Special category data includes biometrics, health records, race, ethnicity, and other highly personal information. Organizations usually need a user’s explicit consent to process special category data.
Criminal conviction data can only be controlled by public authorities and processed at their direction.
Children’s data cannot be processed without parental consent, and organizations need mechanisms to verify the ages of data subjects and the identities of their parents. Each EEA state sets its own definition of “child” under the GDPR. Cut-offs range from under 13 to under 16 years old. Companies must be prepared to comply with these varying definitions.
Audit data processing activities
During the data inventory, organizations record any processing operations the data undergoes. Then, organizations must ensure that these operations comply with GDPR processing rules. Some of the most important GDPR principles include the following:
- All processing must have an established legal basis: Data processing is only acceptable if the organization has an approved legal basis for that processing. Common legal bases include obtaining user consent, processing data to execute a contract with the user, and processing data for the public interest. Organizations must document the legal basis for every processing operation before beginning. For a full list of approved legal bases, see the GDPR compliance page.
- Purpose limitation: Data should be collected and used for a specifically defined purpose.
- Data minimization: Organizations should collect the minimum amount of data necessary for their specified purpose.
- Accuracy: Organizations should ensure that the data they collect is correct and current.
- Storage limitation: Organizations should securely dispose of data as soon as its purpose is fulfilled.
For a complete list of GDPR processing principles, see the GDPR compliance checklist.
Update user consent forms
User consent is a common legal basis for processing. However, consent is only valid under the GDPR if it is informed, affirmative, and freely given. Organizations may need to update consent forms to meet these requirements. To ensure that consent is informed, the organization should clearly explain what it collects and how it will use that data at the point of data collection. To ensure that consent is affirmative, organizations should adopt an opt-in approach, where users must actively check a box or sign a statement to signal consent. Consents cannot be bundled, either. Users must agree to each processing activity individually. To ensure that consent is free, organizations can only require consent for data processing activities that are genuinely integral to a service. In other words, a business cannot force users to disclose their political opinions to buy a t-shirt. Users must be able to revoke consent at any time.
Create a recordkeeping system
Organizations with more than 250 employees, and companies of any size that regularly process data or handle high-risk data, must keep written electronic records of their processing activities. However, all organizations…
